locked
FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD and FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 RRS feed

  • Question

  • Will the classify at FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 layer occur after FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD ?

    1. 
    Client does connect:
       FWPM_LAYER_ALE_AUTH_CONNECT_V4 classifyFn is called
       one filter returns FWPM_ACTION_BLOCK
       FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD  classifyFn is called
       FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 classifyFn will be called ????

    2.
    Client dows connect
        FWPM_LAYER_ALE_AUTH_CONNECT_V4 classifyFn is called
        all filters return FWP_ACTION_PERMIT
        FWPM_LAYER_STREAM_ESTABLISHED_V4 classifyFn is called
        Connection is etablished

        Someone adds a filter  at  FWPM_LAYER_ALE_AUTH_CONNECT_V4
        FWPM_LAYER_ALE_AUTH_CONNECT_V4 classifyFn is called with FWP_CONDITION_FLAG_IS_REAUTHORIZE flag
        one filter returns FWPM_ACTION_BLOCK
        FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD  classifyFn is called ????
        FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 classifyFn will be called ????

    3. 
    Can Sleep or Hibernate lead to classification at FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD ?
    I have one rarely reproduced bug during hibernate. 


    Tuesday, August 14, 2012 5:00 PM

All replies

  • 1) FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 will be called

    2) FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD should be called.  FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 will be called.

    3) Power States themselves will not trigger classifies.  However many products will add / remove filters due to the power state transition, which  may cause the block, and subsequently the FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD classification.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, August 15, 2012 7:28 PM
    Moderator
  • I've done some experiments:

    driver registers 3 callout at FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD, FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4.

    1. 
    callout return FWP_ACTION_PERMIT, there is no any block filters.

    Debug output:
    ALE AUTH CONNECT Handle=3ba
    ALE AUTH CONNECT CLOSE  Handle=3ba

    2. 
    callout return FWP_ACTION_PERMIT, there is a block filter ( block rule for windows firewall )

    ALE AUTH CONNECT Handle=57b
    ALE AUTH CONNECT DISCARD  Handle=57b

    There is no any ALE AUTH CONNECT CLOSE!

    3. 
    callout return FWP_ACTION_BLOCK, there is no any other block filters

    ALE AUTH CONNECT Handle=57b
    ALE AUTH CONNECT DISCARD  Handle=57b

    There is no any ALE AUTH CONNECT CLOSE!

    4.
    callout return FWP_ACTION_PERMIT, there is no any block filters.
    ALE AUTH CONNECT Handle=654
    --> turn on a block filter at firewall
    ALE AUTH CONNECT Handle=654    <-- Reauth 
    ALE AUTH CONNECT DISCARD ( reauth ) Handle=654 
    ALE AUTH CONNECT CLOSE Handle=654

    ALE AUTH CONNECT Handle=622    <-- trying to connect after block filter was applied
    ALE AUTH CONNECT DISCARD Handle=622     

    There is no any ALE AUTH CONNECT CLOSE for connection with handle 622!

    So, I see classify at FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 is called only if connection was authorized at its begining. 





    • Edited by pykd team Friday, September 21, 2012 8:26 AM
    Friday, September 21, 2012 7:45 AM
  • The same for inbound connections:

    1. callout return FWP_ACTION_PERMIT, there is no any block filters.
    ALE AUTH RECV Handle=6fe
    ALE AUTH CONNECT CLOSE  Handle=6fe

    2. callout return FWP_ACTION_PERMIT, there is a block filter ( block rule for windows firewall )
    ALE AUTH RECV Handle=7c8
    ALE AUTH CONNECT DISCARD  Handle=7c8
    There is no any ALE AUTH CONNECT CLOSE!

    3.callout return FWP_ACTION_PERMIT, there is no any block filters.
    ALE AUTH RECV Handle=983
    --> turn on a block filter at firewall
    ALE AUTH RECV Handle=983 <-- Reauth
    ALE AUTH CONNECT DISCARD ( reauth ) Handle=983 <-- DISCARD called for any packet from remote site
    ALE AUTH CONNECT DISCARD  ( reauth ) Handle=983
    ALE AUTH CONNECT DISCARD  ( reauth ) Handle=983
    ALE AUTH CONNECT CLOSE  Handle=983

    Friday, September 21, 2012 8:26 AM