locked
firewall using WFP to filter tcp udp icmp in w7 RRS feed

  • Question

  • Please I am new in wfp and i have a school project to develop a firewall in windows 7 filtering tcp udp and icmp.

    I need help but i look sample winddk (ddproxy, inpect ...)

    now we want to block all traffic  but we want a code example if u have the suggestion , or any ideas about this subject

     

    thx a lot

     

    Tuesday, March 8, 2011 11:19 AM

Answers

  • Are you wanting to block inbound? outbound? both?

    The following has a code snippet by me:
       http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/96aad017-6f88-49b0-be81-f3a1fe631f55

    For your needs, pay attention to the Block all filter.  You will want to sit at  FWPM_LAYER_{INBOUND/OUTBOUND}_TRANSPORT_V{4/6}.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 8, 2011 4:36 PM
    Moderator
  • This will take care of the INBOUND IPv4 traffic. You would do the same thing for your outbound except use FWPM_LAYER_ALE_AUTH_CONNECT_V{4/6}
    /// Filter Condition 
    pFilterConditions.fieldKey    = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pFilterConditions.matchType    = FWP_MATCH_EQUAL;
    pFilterConditions.conditionValue.type = FWP_UINT32;
    pFilterConditions.conditionValue.uint32 = 0xC0A8ADCF; //192.168.173.207
    
    /// Block all 
    blockFilter.displayData.name = L"Nalli-IS's Basic Block Filter";
    blockFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
    blockFilter.providerKey   = &(provider.providerKey);
    blockFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
    blockFilter.subLayerKey   = subLayer.subLayerKey;
    blockFilter.weight.type   = FWP_UINT8;
    blockFilter.weight.uint8  = 0x0;        /// This filter should be your lowest weight as it's essentially your catch all
    blockFilter.numFilterConditions = 0;
    blockFilter.filterCondition  = 0;
    blockFilter.action.type   = FWP_ACTION_BLOCK; 
    
    /// Allow only specified in the filter condition
    permitFilter.displayData.name = L"Nalli-IS's Basic Permit Filter";
    permitFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
    permitFilter.providerKey   = &(provider.providerKey);
    permitFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4; /// each layer is arbitrated separately
    permitFilter.subLayerKey   = subLayer.subLayerKey;
    permitFilter.weight.type   = FWP_UINT8;
    permitFilter.weight.uint8  = 0xF;        /// This filter should be a higher weight as it's more specific
    permitFilter.numFilterConditions = 1;
    permitFilter.filterCondition  = pFilterConditions;
    permitFilter.action.type   = FWP_ACTION_PERMIT;
    
    Hope this helps
    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 11, 2011 3:47 AM
    Moderator
  • If you are wanting to block all traffic by IP, then you would sit at the INBOUND_IPPACKET_V{4 / 6} layers, and for outbound sit at ALE_AUTH_CONNECT.  These would put you in the path with the least processing being done on the packet prior to you dropping it.  Again you can modify the sample I pointed you to to do this very easily.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, March 9, 2011 8:02 PM
    Moderator
  • /// Filter Condition
    pFilterConditions.fieldKey       = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pFilterConditions.matchType       = FWP_MATCH_EQUAL;
    pFilterConditions.conditionValue.type  = FWP_UINT32;
    pFilterConditions.conditionValue.uint32 = 0x0A000202; //10.0.2.2
    
    /// Block only specified filter condition
    blockFilter.displayData.name  = L"Nalli-IS's Basic Block Filter";
    blockFilter.flags        = FWPM_FILTER_FLAG_PERSISTENT;
    blockFilter.providerKey     = &(provider.providerKey);
    blockFilter.layerKey      = FWPM_LAYER_INBOUND_IPPACKET_V4; /// each layer is arbitrated separately
    blockFilter.subLayerKey     = subLayer.subLayerKey;
    blockFilter.weight.type     = FWP_UINT8;
    blockFilter.weight.uint8    = 0xF; /// This filter should be a higher weight as it's more specific
    blockFilter.numFilterConditions = 1;
    blockFilter.filterCondition   = pFilterConditions;
    blockFilter.action.type     = FWP_ACTION_BLOCK;
    

    If this still doesn't work for you, then you need to investigate what other filters are on the machine which are making it so this one doesn't match.  (you could start by placing only this filter in it's own sublayer, forcing it to be arbitrated)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 15, 2011 3:26 PM
    Moderator
  • I don't know why you decided to use the V4_ADDR_MASK, as this is generally used for subnets.  if you fix your mask in this to 255.255.255.255, then it should permit the single address

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 18, 2011 4:41 PM
    Moderator

All replies

  • This is the code that will block all TCP inbound and outbound network traffic ... Add the filters to the appropriate layers for blocking UDP and ICMP data ...

    //ON OFF NETWORK TRAFFIC ...
    
    #include <ntddk.h>
    
    #include <winerror.h>
    
    #pragma warning(push)
    
    #pragma warning(disable:4201)    
    
    #include <fwpsk.h>
    
    #pragma warning(pop)
    
    #include <fwpmk.h>
    
    #include <fwpmu.h>
    
    
    
    #pragma comment(lib, "Fwpuclnt.lib")
    
    
    
    
    
    /*
    
     FWPM_PROVIDER Key
    
    **/
    
    
    
    static const GUID WFPSAMPLER_PROVIDER = 
    
    {
    
     /* 53504657-6D61-5F70-5072-6F7669646572 */
    
     0x53504657,
    
     0x6D61,
    
     0x5F70,
    
     {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    
    };
    
    
    
    /*
    
     FWPM_SUBLAYER Key
    
    **/
    
    
    
    static const GUID WFPSAMPLER_SUBLAYER = 
    
    {
    
     /* 53504657-6D61-5F70-5375-624C61796572 */
    
     0x53504657,
    
     0x6D61,
    
     0x5F70,
    
     {0x53, 0x75, 0x62, 0x4C, 0x61, 0x79, 0x65, 0x72}
    
    };
    
    
    
    HANDLE engineHanle;
    
    	 FWPM_SESSION session;
    
    	 FWPM_PROVIDER provider;
    
    	 FWPM_FILTER_CONDITION condition;
    
    	 FWPM_FILTER blockFilterIn;
    
    	 FWPM_FILTER blockFilterOut;
    
    	 FWPM_SUBLAYER sublayer;
    
    	 FWP_V4_ADDR_AND_MASK addrtoblock;
    
    
    
    DRIVER_INITIALIZE DriverEntry;
    
    NTSTATUS
    
    DriverEntry(
    
      IN PDRIVER_OBJECT driverObject,
    
      IN PUNICODE_STRING registryPath
    
      );
    
    
    
    DRIVER_UNLOAD DriverUnload;
    
    VOID
    
    DriverUnload(
    
      IN PDRIVER_OBJECT driverObject
    
      );
    
    
    
    
    
    
    
    VOID
    
    DriverUnload(
    
      IN PDRIVER_OBJECT driverObject
    
      )
    
    {
    
    
    
    	FwpmFilterDeleteById0(engineHanle, blockFilterIn.filterId);
    
    	FwpmFilterDeleteById0(engineHanle, blockFilterOut.filterId);
    
    	 FwpmEngineClose0(engineHanle);
    
    	 engineHanle=0;
    
    }
    
    
    
    NTSTATUS
    
    DriverEntry(
    
      IN PDRIVER_OBJECT driverObject,
    
      IN PUNICODE_STRING registryPath
    
      )
    
    {
    
    	
    
    
    
    	
    
    //USER ALE_CONNECT TO BLOCK WE CAN ALSO ADD PROTOCOL INFO AS A FILTER CONDITION
    
    	 
    
    	driverObject->DriverUnload = DriverUnload; 
    
    	 session.displayData.name=L"My Session";
    
    	 session.flags=FWPM_SESSION_FLAG_DYNAMIC;
    
    
    
    	 provider.displayData.name=L"My Provider";
    
    	 provider.providerKey=WFPSAMPLER_PROVIDER;
    
    	 
    
    	sublayer.displayData.name=L"My Sublayer";
    
    	sublayer.subLayerKey=WFPSAMPLER_SUBLAYER;
    
    	sublayer.providerKey=(GUID *)&WFPSAMPLER_PROVIDER;
    
    
    
       memset(&blockFilterIn, 0, sizeof(FWPM_FILTER0));
    
    	 memset(&blockFilterOut, 0, sizeof(FWPM_FILTER0));
    
    	 	 
    
    	 FwpmEngineOpen(0,
    
           RPC_C_AUTHN_WINNT,
    
           0,
    
           &session,
    
    			 &engineHanle);
    
    	 
    
    		 
    
    		 blockFilterIn.displayData.name = L"Block Inbound Filter";
    
    		 blockFilterIn.layerKey   = FWPM_LAYER_INBOUND_TRANSPORT_V4;
    
    		 blockFilterIn.subLayerKey   = sublayer.subLayerKey;
    
    		 blockFilterIn.weight.type   = FWP_UINT8;
    
    		 blockFilterIn.weight.uint8  = 0xF;
    
    		 blockFilterIn.numFilterConditions = 0;
    
    		 blockFilterIn.filterCondition  = 0;
    
    		 blockFilterIn.action.type   = FWP_ACTION_BLOCK;
    
    		 
    
    		 blockFilterOut.displayData.name = L"Block Outbound Filter";
    
    		 blockFilterOut.layerKey   = FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
    
    		 blockFilterOut.subLayerKey   = sublayer.subLayerKey;
    
    		 blockFilterOut.weight.type   = FWP_UINT8;
    
    		 blockFilterOut.weight.uint8  = 0xF;
    
    		 blockFilterOut.numFilterConditions = 0;
    
    		 blockFilterOut.filterCondition  = 0;
    
    		 blockFilterOut.action.type   = FWP_ACTION_BLOCK;
    
    		 
    
    		FwpmTransactionBegin(engineHanle,0);
    
    
    
    	 FwpmProviderAdd(engineHanle,&provider,0);
    
    	 FwpmSubLayerAdd(engineHanle,&sublayer,0);
    
    	 FwpmFilterAdd(engineHanle,&blockFilterOut,0,&(blockFilterOut.filterId));
    
    	 FwpmFilterAdd(engineHanle,&blockFilterIn,0,&(blockFilterIn.filterId));
    
    
    
    
    
    	 FwpmTransactionCommit(engineHanle);
    
    	
    
    }
    
    

     

    Tuesday, March 8, 2011 11:41 AM
  • Are you wanting to block inbound? outbound? both?

    The following has a code snippet by me:
       http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/96aad017-6f88-49b0-be81-f3a1fe631f55

    For your needs, pay attention to the Block all filter.  You will want to sit at  FWPM_LAYER_{INBOUND/OUTBOUND}_TRANSPORT_V{4/6}.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 8, 2011 4:36 PM
    Moderator
  • thanks alot Dusty and pratik007 ,

    we want to block all inbound and outbound traffic in first time after tio specifie the IP address when a user (on user mode ) want to block that ip address ?

    Wednesday, March 9, 2011 12:12 PM
  • If you are wanting to block all traffic by IP, then you would sit at the INBOUND_IPPACKET_V{4 / 6} layers, and for outbound sit at ALE_AUTH_CONNECT.  These would put you in the path with the least processing being done on the packet prior to you dropping it.  Again you can modify the sample I pointed you to to do this very easily.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, March 9, 2011 8:02 PM
    Moderator
  • hi Dusty and thanks for ur response, I block all traffic but i was try to permit one specifie IP address but the result don't works correctly : i try this code : // Filter Condition pFilterConditions.fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS; pFilterConditions.matchType = FWP_MATCH_EQUAL; pFilterConditions.conditionValue.type = FWP_UINT32; pFilterConditions.conditionValue.uint32 = 0xC0A8ADCF; //192.168.173.207 // Block all blockFilter.displayData.name = L"Nalli-IS's Basic Block Filter"; blockFilter.flags = FWPM_FILTER_FLAG_PERSISTENT; blockFilter.providerKey = &provider.providerKey; blockFilter.layerKey = FWPM_LAYER_INBOUND_IPPACKET_V4; // i have 3 another similar filter for INbound_V6 and OUTBOUND_V4/V6 blockFilter.subLayerKey = subLayer.subLayerKey; blockFilter.weight.type = FWP_UINT8; blockFilter.weight.uint8 = 0xF; blockFilter.numFilterConditions = 0; blockFilter.filterCondition = 0; blockFilter.action.type = FWP_ACTION_BLOCK; // Allow only specified in the filte condition permitFilter.displayData.name = L"Nalli-IS's Basic Permit Filter"; permitFilter.flags = FWPM_FILTER_FLAG_PERSISTENT; permitFilter.providerKey = &provider.providerKey; permitFilter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; // and V6 permitFilter.subLayerKey = subLayer.subLayerKey; permitFilter.weight.type = FWP_UINT8; permitFilter.weight.uint8 = 0xF; permitFilter.numFilterConditions = 1; permitFilter.filterCondition = pFilterConditions; permitFilter.action.type = FWP_ACTION_PERMIT; if u have the suggestion or an example of code to permit a specifie (ip address) filter , help me ...
    Thursday, March 10, 2011 11:00 PM
  • This will take care of the INBOUND IPv4 traffic. You would do the same thing for your outbound except use FWPM_LAYER_ALE_AUTH_CONNECT_V{4/6}
    /// Filter Condition 
    pFilterConditions.fieldKey    = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pFilterConditions.matchType    = FWP_MATCH_EQUAL;
    pFilterConditions.conditionValue.type = FWP_UINT32;
    pFilterConditions.conditionValue.uint32 = 0xC0A8ADCF; //192.168.173.207
    
    /// Block all 
    blockFilter.displayData.name = L"Nalli-IS's Basic Block Filter";
    blockFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
    blockFilter.providerKey   = &(provider.providerKey);
    blockFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
    blockFilter.subLayerKey   = subLayer.subLayerKey;
    blockFilter.weight.type   = FWP_UINT8;
    blockFilter.weight.uint8  = 0x0;        /// This filter should be your lowest weight as it's essentially your catch all
    blockFilter.numFilterConditions = 0;
    blockFilter.filterCondition  = 0;
    blockFilter.action.type   = FWP_ACTION_BLOCK; 
    
    /// Allow only specified in the filter condition
    permitFilter.displayData.name = L"Nalli-IS's Basic Permit Filter";
    permitFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
    permitFilter.providerKey   = &(provider.providerKey);
    permitFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4; /// each layer is arbitrated separately
    permitFilter.subLayerKey   = subLayer.subLayerKey;
    permitFilter.weight.type   = FWP_UINT8;
    permitFilter.weight.uint8  = 0xF;        /// This filter should be a higher weight as it's more specific
    permitFilter.numFilterConditions = 1;
    permitFilter.filterCondition  = pFilterConditions;
    permitFilter.action.type   = FWP_ACTION_PERMIT;
    
    Hope this helps
    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 11, 2011 3:47 AM
    Moderator
  • thanks very much Dusty for your help,

    I would you like to ask one question concern to add a filter with a condition when i specify the IP address,

    i try this code but he doen't work, i would like to block one IP address,

     

    /// Filter Condition
    pFilterConditions.fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pFilterConditions.matchType = FWP_MATCH_EQUAL;
    pFilterConditions.conditionValue.type = FWP_UINT32;
    pFilterConditions.conditionValue.uint32 = 0xC0A8ADCF; //192.168.173.207

    /// Allow only specified in the filter condition
    permitFilter.displayData.name = L"Nalli-IS's Basic Permit Filter";
    permitFilter.flags = FWPM_FILTER_FLAG_PERSISTENT;
    permitFilter.providerKey = &(provider.providerKey);
    permitFilter.layerKey = FWPM_LAYER_INBOUND_IPPACKET_V4; /// each layer is arbitrated separately
    permitFilter.subLayerKey = subLayer.subLayerKey;
    permitFilter.weight.type = FWP_UINT8;
    permitFilter.weight.uint8 = 0xF; /// This filter should be a higher weight as it's more specific
    permitFilter.numFilterConditions = 1;
    permitFilter.filterCondition = pFilterConditions;
    permitFilter.action.type = FWP_ACTION_BLOCK;

     

     

    Monday, March 14, 2011 7:04 PM
  • When you say it doesn't work, are you refering to the traffic isn't blocked?  AN error generated when adding the filter?  Can you be more specific?  If it's not being blocked, then can you specify what other filters are on the machine?

    Thanks,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, March 14, 2011 7:22 PM
    Moderator
  • Thanks Dusty, yeah, there is no error generated , but when i try to ping the machine (in console term) , the ping worked normaly and that's a problem , normaly when an user try to ping this specifie machine, the ping will not work ?

     

    I need your help

     

    thanks

    Monday, March 14, 2011 8:34 PM
  • If it is possible the demonstrated code of addiing filter when your specifie the ip address for machine what you want to block ?

     

    thanks

    Monday, March 14, 2011 8:37 PM
  • This filter says to block all traffic FROM 192.168.173.207 into the local machine.  Is this what you are trying to accomplish?  Or is 192.168.173.207 an address on the machine that is running your firewall software, and you want to block all traffic to this IP?

    Thanks


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, March 14, 2011 11:07 PM
    Moderator
  • yes , my ip address is 10.0.2.15 and i want to block all traffic from this ip adress  10.0.2.2 but the code when i try don't work correctly.

     

    I don't know what i can do

     

    Tuesday, March 15, 2011 10:47 AM
  • /// Filter Condition
    pFilterConditions.fieldKey       = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pFilterConditions.matchType       = FWP_MATCH_EQUAL;
    pFilterConditions.conditionValue.type  = FWP_UINT32;
    pFilterConditions.conditionValue.uint32 = 0x0A000202; //10.0.2.2
    
    /// Block only specified filter condition
    blockFilter.displayData.name  = L"Nalli-IS's Basic Block Filter";
    blockFilter.flags        = FWPM_FILTER_FLAG_PERSISTENT;
    blockFilter.providerKey     = &(provider.providerKey);
    blockFilter.layerKey      = FWPM_LAYER_INBOUND_IPPACKET_V4; /// each layer is arbitrated separately
    blockFilter.subLayerKey     = subLayer.subLayerKey;
    blockFilter.weight.type     = FWP_UINT8;
    blockFilter.weight.uint8    = 0xF; /// This filter should be a higher weight as it's more specific
    blockFilter.numFilterConditions = 1;
    blockFilter.filterCondition   = pFilterConditions;
    blockFilter.action.type     = FWP_ACTION_BLOCK;
    

    If this still doesn't work for you, then you need to investigate what other filters are on the machine which are making it so this one doesn't match.  (you could start by placing only this filter in it's own sublayer, forcing it to be arbitrated)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 15, 2011 3:26 PM
    Moderator
  • My firewall for my default policy is to block all traffic. This works fine.
    Now I want to add a rule that allows only one address to pass the firewall.
    The source code used, but the address is also allowed to block. You can look at the code for me please.

     








    /*

     FWPM_PROVIDER Key

    **/


    static const GUID WFPSAMPLER_PROVIDER =
    {

     /* 53504657-6D61-5F70-5072-6F7669646572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    };


    /*
     FWPM_SUBLAYER Key
    **/

    static const GUID WFPSAMPLER_SUBLAYER =
    {
     /* 53504657-6D61-5F70-5375-624C61796572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x53, 0x75, 0x62, 0x4C, 0x61, 0x79, 0x65, 0x72}
    };





    // permit a specifie IP adress

    HANDLE engineHanle;
    FWPM_SESSION session;
    FWPM_PROVIDER provider;
    FWPM_SUBLAYER sublayer;
    FWPM_FILTER_CONDITION filterCondition;
    FWPM_FILTER permitFilterIn_V4;
    FWPM_FILTER permitFilterOut_V4;


    FWP_V4_ADDR_AND_MASK addrtoblock_V4;
    FWP_V6_ADDR_AND_MASK addrtoblock_V6;

      session.displayData.name=L"My Session";
      session.flags=FWPM_SESSION_FLAG_DYNAMIC;
      provider.displayData.name=L"My Provider";
      provider.providerKey=WFPSAMPLER_PROVIDER;
      sublayer.displayData.name=L"My Sublayer";
      sublayer.subLayerKey=WFPSAMPLER_SUBLAYER;
      sublayer.providerKey=(GUID*)&WFPSAMPLER_PROVIDER;
      memset(permitFilterIn_V4,0,sizeof(FWPM_FILTER0));
      memset(permitFilterOut_V4,0,sizeof(FWPM_FILTER0));
      memset(filterCondition,0,sizeof(FWPM_FILTER_CONDITION0));
      memset(addrtoblock_V4,0,sizeof(FWP_V4_ADDR_AND_MASK));
       

        FwpmEngineOpen(0,
                   RPC_C_AUTHN_WINNT,
               0,
                   &session,
               &engineHanleAdd);
       

        {
        addrtoblock_V4.addr = pf->sourceIp.adress_V4 ;//0x0A000202; /// 10.0.2.2
        addrtoblock_V4.mask = pf->sourceMask.mask_V4 ; //0x00000000; /// 0.0.0.0

       filterCondition.fieldKey    = FWPM_CONDITION_IP_REMOTE_ADDRESS;
       filterCondition.matchType   = FWP_MATCH_EQUAL;
       filterCondition.conditionValue.type   = FWP_V4_ADDR_MASK;
       filterCondition.conditionValue.v4AddrMask = &addrtoblock_V4[INDEX];

       permitFilterIn_V4.displayData.name = L"Filter to permit inbound Filter";
       permitFilterIn_V4.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;//
       permitFilterIn_V4.subLayerKey   = sublayer.subLayerKey;
       permitFilterIn_V4.weight.type   = FWP_UINT8;
       permitFilterIn_V4.weight.uint8  = 0x0F;
       permitFilterIn_V4.numFilterConditions = 1;
       permitFilterIn_V4.filterCondition  = &filterCondition[INDEX];
       permitFilterIn_V4.action.type   = FWP_ACTION_PERMIT;

       permitFilterOut_V4.displayData.name = L"Filter to permit inbound Filter";
       permitFilterOut_V4.layerKey   = FWPM_LAYER_OUTBOUND_IPPACKET_V4;
       permitFilterOut_V4.subLayerKey   = sublayer.subLayerKey;
       permitFilterOut_V4.weight.type   = FWP_UINT8;
       permitFilterOut_V4.weight.uint8  = 0x0F;
       permitFilterOut_V4.numFilterConditions = 1;
       permitFilterOut_V4.filterCondition  = &filterCondition[INDEX];
       permitFilterOut_V4.action.type   = FWP_ACTION_PERMIT;
       

       FwpmTransactionBegin(engineHanleAdd,0);
       FwpmProviderAdd(engineHanleAdd,&provider,0);
       FwpmSubLayerAdd(engineHanleAdd,&sublayer,0);
       
        //outbound
       FwpmFilterAdd(engineHanleAdd,&permitFilterOut_V4,0,&(permitFilterOut_V4.filterId));   
       
       // inbound
       FwpmFilterAdd(engineHanleAdd,&permitFilterIn_V4,0,&(permitFilterIn_V4.filterId));
       FwpmTransactionCommit(engineHanleAdd);

    Friday, March 18, 2011 2:12 PM
  • I don't know why you decided to use the V4_ADDR_MASK, as this is generally used for subnets.  if you fix your mask in this to 255.255.255.255, then it should permit the single address

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 18, 2011 4:41 PM
    Moderator
  • we just set the mask were necessary, but we just want to pass the address 10.0.2.2 and it still does not work. Once the rule is applied while blocque first, any other rule which allows the passage of an address is not taken into account.
    Monday, March 21, 2011 4:09 PM
  • It blocks us in our work and really help in solving this problem will be very nice.
    Monday, March 21, 2011 4:14 PM
  • can you post what your filters look like after you add them?

    1) NetSh.exe WFP Show State
    2) Find your filters in the WFPState.xml & post the text.

    Thanks


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 22, 2011 4:01 PM
    Moderator