none
Whitelist on WFP inspect sample. RRS feed

  • Question

  • Hi everyone, I was wondering if there is a way to make the inspect driver work as a whitelist, like to add one or two allowed ip's and block everything else.

    Thanks

    Friday, August 6, 2010 5:37 AM

Answers

  • Note that the following does not have any routines to remove the persistent objects (you'll have to supply those yourself)

    /*
     FWPM_PROVIDER Key
    **/
    
    static const GUID WFPSAMPLER_PROVIDER = 
    {
     /* 53504657-6D61-5F70-5072-6F7669646572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    };
    
    /*
     FWPM_SUBLAYER Key
    **/
    
    static const GUID WFPSAMPLER_SUBLAYER = 
    {
     /* 53504657-6D61-5F70-5375-624C61796572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x53, 0x75, 0x62, 0x4C, 0x61, 0x79, 0x65, 0x72}
    };
    
    int __cdecl wmain(__in const int argumentCount,
         __in_ecount(argumentCount) PCWSTR pArguments[])
    {
     UNREFERENCED_PARAMETER(argumentCount);
     UNREFERENCED_PARAMETER(pArguments);
    
     UINT32     status   = NO_ERROR;
     HANDLE     engineHandle = 0;
     const UINT32   NUM_CONDITIONS = 2;
     FWPM_SESSION   session;
     FWPM_PROVIDER   provider;
     FWPM_SUBLAYER   subLayer;
     FWPM_FILTER_CONDITION* pFilterConditions[NUM_CONDITIONS];
     FWPM_FILTER   blockFilter;
     FWPM_FILTER   permitFilter;
    
     ZeroMemory(&session,
        sizeof(FWPM_SESSION));
    
     ZeroMemory(&provider,
        sizeof(FWPM_PROVIDER));
    
     ZeroMemory(&subLayer,
        sizeof(FWPM_SUBLAYER));
    
     ZeroMemory(pFilterConditions,
        sizeof(FWPM_FILTER_CONDITION) * NUM_CONDITIONS);
    
     ZeroMemory(&blockFilter,
        sizeof(FWPM_FILTER));
    
     ZeroMemory(&permitFilter,
        sizeof(FWPM_FILTER));
    
     session.displayData.name = L"WFPSampler's User Mode Session";
     session.flags   = 0;
    
     provider.displayData.name = L"WFPSampler's Provider";
     provider.providerKey  = WFPSAMPLER_PROVIDER;
     provider.flags    = FWPM_PROVIDER_FLAG_PERSISTENT;
    
     subLayer.displayData.name = L"WFPSampler's SubLayer";
     subLayer.subLayerKey  = WFPSAMPLER_SUBLAYER;
     subLayer.providerKey  = (GUID*)&WFPSAMPLER_PROVIDER;
     subLayer.flags    = FWPM_SUBLAYER_FLAG_PERSISTENT;
    
     status = UuidCreate(&(blockFilter.filterKey));
    
     if(status != RPC_S_OK &&     // 0
      status != RPC_S_UUID_LOCAL_ONLY)  // 1824
     {
      // RPC_S_UUID_NO_ADDRESS    // 1739
      goto HLPR_BAIL_LABEL;
     }
     else
      status = NO_ERROR;
    
     status = UuidCreate(&(permitFilter.filterKey));
    
     if(status != RPC_S_OK &&     // 0
      status != RPC_S_UUID_LOCAL_ONLY)  // 1824
     {
      // RPC_S_UUID_NO_ADDRESS    // 1739
      goto HLPR_BAIL_LABEL;
     }
     else
      status = NO_ERROR;
    
     pFilterConditions[0].fieldKey    = FWPM_CONDITION_IP_LOCAL_ADDRESS;
     pFilterConditions[0].matchType    = FWP_MATCH_EQUAL;
     pFilterConditions[0].conditionValue.type = FWP_UINT32;
     pFilterConditions[0].conditionValue.uint32 = 0x01000001;
    
     pFilterConditions[1].fieldKey    = FWPM_CONDITION_IP_LOCAL_ADDRESS;
     pFilterConditions[1].matchType    = FWP_MATCH_EQUAL;
     pFilterConditions[1].conditionValue.type = FWP_UINT32;
     pFilterConditions[1].conditionValue.uint32 = 0x02000001;
    
     blockFilter.displayData.name = L"WFPSampler's Basic Block Filter";
     blockFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
     blockFilter.providerKey   = (GUID*)&WFPSAMPLER_PROVIDER;
     blockFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
     blockFilter.subLayerKey   = WFPSAMPLER_SUBLAYER;
     blockFilter.weight.type   = FWP_UINT8;
     blockFilter.weight.uint8  = 0xF;
     blockFilter.numFilterConditions = 0;
     blockFilter.filterCondition  = 0;
     blockFilter.action.type   = FWP_ACTION_BLOCK;
    
     permitFilter.displayData.name = L"WFPSampler's Basic Permit Filter";
     permitFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
     permitFilter.providerKey   = (GUID*)&WFPSAMPLER_PROVIDER;
     permitFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
     permitFilter.subLayerKey   = WFPSAMPLER_SUBLAYER;
     permitFilter.weight.type   = FWP_UINT8;
     permitFilter.weight.uint8  = 0xF;
     permitFilter.numFilterConditions = NUM_CONDITIONS;
     permitFilter.filterCondition  = pFilterConditions;
     permitFilter.action.type   = FWP_ACTION_PERMIT;
    
     status = FwpmEngineOpen(0,
           RPC_C_AUTHN_WINNT,
           0,
           &session,
           &engineHandle);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmTransactionBegin(engineHandle,
             0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmProviderAdd(engineHandle,
           &provider,
           0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmSubLayerAdd(engineHandle,
           &subLayer,
           0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmFilterAdd(engineHandle,
           &blockFilter,
           0,
           &(blockFilter.filterId));
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmFilterAdd(engineHandle,
           &permitFilter,
           0,
           &(permitFilter.filterId));
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmTransactionCommit(engineHandle);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     HLPR_BAIL_LABEL:
    
     if(engineHandle)
     {
      if(status != NO_ERROR)
       FwpmTransactionAbort(engineHandle);
    
      FwpmEngineClose(engineHandle);
     }
    
     return;
    }
    
    Wednesday, August 11, 2010 9:29 PM
    Moderator

All replies

  • Yes you could tweak the sample to do this however it seems like overkill.  If you want to do a white list, why not just add 2 filters?  eliminate the overhead & complexity of the callout?

    Filter1:
          FWPM_FILTER_CONDITION pFilterConditions[2];
          FWPM_FILTER           filter;

          pFilterConditions[0].fieldKey              = FWPM_CONDITION_IP_LOCAL_ADDRESS;
          pFilterConditions[0].matchType             = FWP_MATCH_EQUAL;
          pFilterConditions[0].conditionValue.type   = FWP_UINT32;
          pFilterConditions[0].conditionValue.uint32 = 01000001;

          pFilterConditions[1].fieldKey              = FWPM_CONDITION_IP_LOCAL_ADDRESS;
          pFilterConditions[1].matchType             = FWP_MATCH_EQUAL;
          pFilterConditions[1].conditionValue.type   = FWP_UINT32;
          pFilterConditions[1].conditionValue.uint32 = 02000001;

          filter.displayData.name    = L"Allow 1.0.0.1 & 2.0.0.1 in";
          filter.flags               = persistent ? FWPM_FILTER_FLAG_PERSISTENT : 0;
          filter.providerKey         = (GUID*)&WFPSAMPLER_PROVIDER;
          filter.layerKey            = FWPM_LAYER_INBOUND_IPPACKET_V4;
          filter.subLayerKey         = WFPSAMPLER_SUBLAYER;
          filter.weight.type         = FWP_UINT8;
          filter.weight.uint8        = 0xF;
          filter.numFilterConditions = 2;
          filter.filterCondition     = pFilterConditions;
          filter.action.type         = FWP_ACTION_PERMIT;

    Filter2:
          filter.displayData.name    = L"Block All";
          filter.flags               = persistent ? FWPM_FILTER_FLAG_PERSISTENT : 0;
          filter.providerKey         = (GUID*)&WFPSAMPLER_PROVIDER;
          filter.layerKey            = FWPM_LAYER_INBOUND_IPPACKET_V4;
          filter.subLayerKey         = WFPSAMPLER_SUBLAYER;
          filter.weight.type         = FWP_UINT8;
          filter.weight.uint8        = 0xF;
          filter.numFilterConditions = 0;
          filter.filterCondition     = 0;
          filter.action.type         = FWP_ACTION_BLOCK;

    Hope this helps,

     

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, August 10, 2010 6:18 PM
    Moderator
  • It's an excelent idea, I just kind of newbie in the DDK so i dont know what exactly to delete from the TL_drv.c file.

    Thanks

    Tuesday, August 10, 2010 7:16 PM
  • Doing it this way, you don't need a driver.  You can create a usermode service or application which essentially calls FwpmEngineOpen, FwpmProviderAdd, FwpmFilterAdd, and thir associated cleanup routines.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, August 10, 2010 9:54 PM
    Moderator
  • Thanks a lot, Dusty. Maybe its too much to ask but if you can't its ok. Can you give me the code of an app like that?

    Anyways you are the best

    Wednesday, August 11, 2010 3:36 AM
  • Note that the following does not have any routines to remove the persistent objects (you'll have to supply those yourself)

    /*
     FWPM_PROVIDER Key
    **/
    
    static const GUID WFPSAMPLER_PROVIDER = 
    {
     /* 53504657-6D61-5F70-5072-6F7669646572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    };
    
    /*
     FWPM_SUBLAYER Key
    **/
    
    static const GUID WFPSAMPLER_SUBLAYER = 
    {
     /* 53504657-6D61-5F70-5375-624C61796572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x53, 0x75, 0x62, 0x4C, 0x61, 0x79, 0x65, 0x72}
    };
    
    int __cdecl wmain(__in const int argumentCount,
         __in_ecount(argumentCount) PCWSTR pArguments[])
    {
     UNREFERENCED_PARAMETER(argumentCount);
     UNREFERENCED_PARAMETER(pArguments);
    
     UINT32     status   = NO_ERROR;
     HANDLE     engineHandle = 0;
     const UINT32   NUM_CONDITIONS = 2;
     FWPM_SESSION   session;
     FWPM_PROVIDER   provider;
     FWPM_SUBLAYER   subLayer;
     FWPM_FILTER_CONDITION* pFilterConditions[NUM_CONDITIONS];
     FWPM_FILTER   blockFilter;
     FWPM_FILTER   permitFilter;
    
     ZeroMemory(&session,
        sizeof(FWPM_SESSION));
    
     ZeroMemory(&provider,
        sizeof(FWPM_PROVIDER));
    
     ZeroMemory(&subLayer,
        sizeof(FWPM_SUBLAYER));
    
     ZeroMemory(pFilterConditions,
        sizeof(FWPM_FILTER_CONDITION) * NUM_CONDITIONS);
    
     ZeroMemory(&blockFilter,
        sizeof(FWPM_FILTER));
    
     ZeroMemory(&permitFilter,
        sizeof(FWPM_FILTER));
    
     session.displayData.name = L"WFPSampler's User Mode Session";
     session.flags   = 0;
    
     provider.displayData.name = L"WFPSampler's Provider";
     provider.providerKey  = WFPSAMPLER_PROVIDER;
     provider.flags    = FWPM_PROVIDER_FLAG_PERSISTENT;
    
     subLayer.displayData.name = L"WFPSampler's SubLayer";
     subLayer.subLayerKey  = WFPSAMPLER_SUBLAYER;
     subLayer.providerKey  = (GUID*)&WFPSAMPLER_PROVIDER;
     subLayer.flags    = FWPM_SUBLAYER_FLAG_PERSISTENT;
    
     status = UuidCreate(&(blockFilter.filterKey));
    
     if(status != RPC_S_OK &&     // 0
      status != RPC_S_UUID_LOCAL_ONLY)  // 1824
     {
      // RPC_S_UUID_NO_ADDRESS    // 1739
      goto HLPR_BAIL_LABEL;
     }
     else
      status = NO_ERROR;
    
     status = UuidCreate(&(permitFilter.filterKey));
    
     if(status != RPC_S_OK &&     // 0
      status != RPC_S_UUID_LOCAL_ONLY)  // 1824
     {
      // RPC_S_UUID_NO_ADDRESS    // 1739
      goto HLPR_BAIL_LABEL;
     }
     else
      status = NO_ERROR;
    
     pFilterConditions[0].fieldKey    = FWPM_CONDITION_IP_LOCAL_ADDRESS;
     pFilterConditions[0].matchType    = FWP_MATCH_EQUAL;
     pFilterConditions[0].conditionValue.type = FWP_UINT32;
     pFilterConditions[0].conditionValue.uint32 = 0x01000001;
    
     pFilterConditions[1].fieldKey    = FWPM_CONDITION_IP_LOCAL_ADDRESS;
     pFilterConditions[1].matchType    = FWP_MATCH_EQUAL;
     pFilterConditions[1].conditionValue.type = FWP_UINT32;
     pFilterConditions[1].conditionValue.uint32 = 0x02000001;
    
     blockFilter.displayData.name = L"WFPSampler's Basic Block Filter";
     blockFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
     blockFilter.providerKey   = (GUID*)&WFPSAMPLER_PROVIDER;
     blockFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
     blockFilter.subLayerKey   = WFPSAMPLER_SUBLAYER;
     blockFilter.weight.type   = FWP_UINT8;
     blockFilter.weight.uint8  = 0xF;
     blockFilter.numFilterConditions = 0;
     blockFilter.filterCondition  = 0;
     blockFilter.action.type   = FWP_ACTION_BLOCK;
    
     permitFilter.displayData.name = L"WFPSampler's Basic Permit Filter";
     permitFilter.flags    = FWPM_FILTER_FLAG_PERSISTENT;
     permitFilter.providerKey   = (GUID*)&WFPSAMPLER_PROVIDER;
     permitFilter.layerKey   = FWPM_LAYER_INBOUND_IPPACKET_V4;
     permitFilter.subLayerKey   = WFPSAMPLER_SUBLAYER;
     permitFilter.weight.type   = FWP_UINT8;
     permitFilter.weight.uint8  = 0xF;
     permitFilter.numFilterConditions = NUM_CONDITIONS;
     permitFilter.filterCondition  = pFilterConditions;
     permitFilter.action.type   = FWP_ACTION_PERMIT;
    
     status = FwpmEngineOpen(0,
           RPC_C_AUTHN_WINNT,
           0,
           &session,
           &engineHandle);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmTransactionBegin(engineHandle,
             0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmProviderAdd(engineHandle,
           &provider,
           0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmSubLayerAdd(engineHandle,
           &subLayer,
           0);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmFilterAdd(engineHandle,
           &blockFilter,
           0,
           &(blockFilter.filterId));
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmFilterAdd(engineHandle,
           &permitFilter,
           0,
           &(permitFilter.filterId));
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     status = FwpmTransactionCommit(engineHandle);
     if(status != NO_ERROR)
      goto HLPR_BAIL_LABEL;
    
     HLPR_BAIL_LABEL:
    
     if(engineHandle)
     {
      if(status != NO_ERROR)
       FwpmTransactionAbort(engineHandle);
    
      FwpmEngineClose(engineHandle);
     }
    
     return;
    }
    
    Wednesday, August 11, 2010 9:29 PM
    Moderator
  • Thanks a lot, wich includes should I add to this?
    Tuesday, October 5, 2010 7:17 PM
  • I have a similar requirement.

    I currently have a callout driver which performs as NAT. However I want selectively allow clients (based on its IP or mac) to access internet thru the NAT, with a new application in user mode. I tried the whitelist sample, with  FWPM_LAYER_INBOUND_IPPACKET_V4, FWPM_LAYER_IPFORWARD_V4. But doesnt seem to work. When tried with FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, it completely blocks or enables internet including the  host machine.

    Can you suggest, the right approach to this issue?

    Thanks

     

    Tuesday, November 23, 2010 11:57 AM