locked
Removing Filters Doesn't Re-enable Traffic RRS feed

  • Question

  • Hi,

    My application adds inbound and outbound IPv4 filters which block all traffic (as a starting point). These seem to work as expected. However, when I remove the filters using FwpmFilterDeleteByKey0, the traffic is not re-enabled. I've confirmed with netsh wfp show filters, that the filters no longer exist. Am, I missing a step?

    Thanks.

    Wednesday, February 22, 2012 10:57 PM

Answers

  • Thanks, Dusty. This was a rather simple/rudimentary test. My intitial conditions were a Windows 7 PC with the default firewall settings enabled. There were no other 3rd party filters installed. Prior to executing the application, I was able to browse the web. The application, when executed, installs 4 filters: 2 in the FWPM_LAYER_INBOUND_TRANSPORT_V4 layer, indiscriminately blocking all traffic on 2 different sublayers, and 2 in the FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer, indiscriminately blocking all traffic on 2 different sublayers. After execting the application, I could not bring up any common web sites, as expected. However, after calling FwpmFilterDeleteByKey0 for each of the 4 filters, I still am unable to bring up any websites. I used no tools to validate the traffic flow, only netsh to prove that the filters had been installed and then removed. I'm gathering what you're saying is that removing the filters in the manner that I did should restore the capability to pass the aforementioned traffic?
    • Marked as answer by cryptomedic Friday, February 24, 2012 8:41 PM
    Thursday, February 23, 2012 12:24 AM

All replies

  • What kind of traffic is this?  If you blocked the handshake for TCP, then the apps will need to call connect / accept again.  are there other filters on the machine which could be getting in the way?  How are you validating the traffic flows?

    Easiest test for this would perform a ping -t <remote address>
    Add your block all Inbound / outbound traffic filters
    Verify that the pings timeout
    remove your filters you just added
    you should now be getting replies again

    Please provide more information,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, February 22, 2012 11:36 PM
    Moderator
  • Thanks, Dusty. This was a rather simple/rudimentary test. My intitial conditions were a Windows 7 PC with the default firewall settings enabled. There were no other 3rd party filters installed. Prior to executing the application, I was able to browse the web. The application, when executed, installs 4 filters: 2 in the FWPM_LAYER_INBOUND_TRANSPORT_V4 layer, indiscriminately blocking all traffic on 2 different sublayers, and 2 in the FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer, indiscriminately blocking all traffic on 2 different sublayers. After execting the application, I could not bring up any common web sites, as expected. However, after calling FwpmFilterDeleteByKey0 for each of the 4 filters, I still am unable to bring up any websites. I used no tools to validate the traffic flow, only netsh to prove that the filters had been installed and then removed. I'm gathering what you're saying is that removing the filters in the manner that I did should restore the capability to pass the aforementioned traffic?
    • Marked as answer by cryptomedic Friday, February 24, 2012 8:41 PM
    Thursday, February 23, 2012 12:24 AM
  • Dusty, I think I'm all set. This does appear to be TCP-connection-related issue as web traffic comes back immediately when I close the browser and open another instance. Thanks.
    Thursday, February 23, 2012 2:26 PM