locked
WFP Whitelist working for IPv4 but not IPv6 RRS feed

  • Question

  • I have implemented a whitelist for WFP in delphi similar to one on http://social.msdn.microsoft.com/Forums/en/wfp/thread/96aad017-6f88-49b0-be81-f3a1fe631f55. It works for IPv4 but not for IPv6. I'm trying to block all IPv6 traffic except for UDP protocol. The whitelist works for around 10 seconds after adding the 2 filters and I'm able to receive inbound UDP packets, after which the whitelist fails and all UDP packets are blocked.

    Filter 2:

    Conditions[0].fieldKey := FWPM_CONDITION_IP_PROTOCOL;
    Conditions[0].matchType := FWP_MATCH_EQUAL;
    Conditions[0].conditionValue.typ := FWP_UINT8;
    Conditions[0].conditionValue.uint8 := IPPROTO_UDP;

    bf2.displayData.name := 'L"Firewall"';
    bf2.layerKey := FWPM_LAYER_INBOUND_TRANSPORT_V6;
    bf2.action.typ := FWP_ACTION_PERMIT;
    bf2.weight.typ := FWP_EMPTY;
    bf2.filterCondition := @Conditions;
    bf2.numFilterConditions := 1;
    result := FwpmFilterAdd0(m_hEngineHandle, @bf2, NIL, ID2);

    Filter 1:

    bf1.displayData.name := 'L"Firewall"';
    bf1.layerKey := FWPM_LAYER_INBOUND_TRANSPORT_V6;
    bf1.action.typ := FWP_ACTION_BLOCK;
    bf1.weight.typ := FWP_EMPTY;
    bf1.filterCondition := 0;
    bf1.numFilterConditions := 0;
    result := FwpmFilterAdd0(m_hEngineHandle, @bf1, NIL, ID1);

    Any help here? Thanks.


    • Edited by jwchoy Monday, March 26, 2012 8:41 AM
    Monday, March 26, 2012 7:33 AM

Answers

  • The problem is solved by adding a filter permitting ICMPv6.
    • Marked as answer by jwchoy Friday, March 30, 2012 1:25 AM
    Friday, March 30, 2012 1:25 AM

All replies

  • I think you should setup weight of  filter2 > weight of filter 1. And set FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT flag for filter 2. So filter 2 will work before filter 1 and It will set "strong" action PERMIT.
    Monday, March 26, 2012 9:53 AM
  • Thanks for the suggestion but the same thing happens. The whitelist stopped working after a short moment. I've tried changing Conditions to:

    Conditions[0].fieldKey := FWPM_CONDITION_IP_REMOTE_ADDRESS;
    Conditions[0].matchType := FWP_MATCH_EQUAL;
    Conditions[0].conditionValue.typ := FWP_V6_ADDR_MASK;
    Conditions[0].conditionValue.v6AddrMask := @V6AddrMask;

    With just 1 condition supplying the IPv6 of a remote address, the whitelist works, but if I added another condition say for example:

    Conditions[1].fieldKey := FWPM_CONDITION_IP_LOCAL_PORT;
    Conditions[1].matchType := FWP_MATCH_EQUAL;
    Conditions[1].conditionValue.typ := FWP_UINT16;
    Conditions[1].conditionValue.uint16 := 567; 

    and my filter 2 becoming:

    bf2.displayData.name := 'L"Firewall"';
    bf2.layerKey := FWPM_LAYER_INBOUND_TRANSPORT_V6;
    bf2.flags := FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT;
    bf2.action.typ := FWP_ACTION_PERMIT;
    bf2.weight.typ := FWP_UINT8;
    bf2.weight.uint8 := $F;
    bf2.filterCondition := @Conditions;
    bf2.numFilterConditions := 2;
    result := FwpmFilterAdd0(m_hEngineHandle, @bf2, NIL, ID2);

    the whitelist fails again. Sorry all these are written in delphi.

    Anyone got a clue? TIA!

    Monday, March 26, 2012 10:12 AM
  • The problem is solved by adding a filter permitting ICMPv6.
    • Marked as answer by jwchoy Friday, March 30, 2012 1:25 AM
    Friday, March 30, 2012 1:25 AM