none
Problem with Windows CE IP Firewall RRS feed

  • Question

  • I have tried unsuccessfully for weeks to get the Windows CE IP Firewall to work as expected. I seem to have a misunderstanding of how the firewall rules are required to be implemented. I have successfully built a Windows CE 6.0 platform and have deployed it to my device. I have also written a simple application in C# to enable/disable the firewall. When I run my Firewall control app, I can successfully enable and disable the firewall. The problem is, when I enable the firewall all inbound connection requests are dropped. I have been using the default rules created by platform builder, then adding or removing rules from the registry and then perform a cold reset to reload the rules from the hive-based registry. I have been focusing on just getting ICMP ECHO requests from the public side to the private side. I have removed all of the default rules and then added one of my own to allow all traffic. This will allow echo requests through, but makes the firewall useless... So I replaced that rule with two rules that allow all ICMP ECHO REQUEST and ICMP ECHO REPLY. (Nevermind the fact that these rules are part of the default rules for the platform).

    Originally, the rules were:

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REQUEST]
    "Mask"=dword:28 ; FWM_PROTOCOL | FWM_TYPE
    "Flags"=dword:12 ; FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00 ; AF_INET
    "Protocol"=dword:1 ; IP_PROTOCOL_ICMPv4
    "Type"=dword:8 ; ICMP_ECHO_REQUEST
    
    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REPLY]
    "Mask"=dword:28 ; FWM_PROTOCOL | FWM_TYPE
    "Flags"=dword:12 ; FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00 ; AF_INET
    "Protocol"=dword:1 ; IP_PROTOCOL_ICMPv4
    "Type"=dword:0 ; ICMP_ECHO_REPLY

     Which has been changed to:

    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowInboundICMP_ECHO_REQUEST]
    "Flags"=dword:00000002 ; FWF_ALLOW
    "Mask"=dword:00000028 ; FWM_TYPE | FWM_PROTOCOL
    "Protocol"=dword:00000001 ; ICMP 
    "Type"=dword:00000008 ; ECHO REQUEST
    
    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowOutboundICMP_ECHO_REPLY]
    "Flags"=dword:00000002 ; FWF_ALLOW
    "Type"=dword:00000000 ; ECHO REQUEST
    "Protocol"=dword:00000001 ; ICMP
    "Mask"=dword:00000028 ; FWM_PROTOCOL | FWM_TYPE

     Neither will allow ICMP ECHO to the device. I can (even with the default rules) ping from the device to my development machine, but not the other direction.

    Ultimately, I would like to be able to allow all necessary ICMP, DHCP, IPSec, and only TCP/IP connections to my device on the port that I specify.

    Thursday, July 8, 2010 3:51 PM

All replies

  • Have you checked the registry on the device to see if the values are as
    you expect them to be?
     
    Don't start your values with all those 0's. Can't remember if this is
    true for Windows CE registry files as well, but usually starting a value
    with a 0 will make it octal (base 8), resulting in completely different
    values than what you expect.
     
    Also, you seem to be missing some flags (you have to specify either
    FWF_OUTBOUND or FWF_INBOUND).
     
    Here's a working example of allowed inbound/outbound TCP ports:
     
    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowedTCPInbound]
    "Description"="Allowed inbound TCP ports"
    "Mask"=dword:24 ;FWM_PORT | FWM_PROTOCOL
    "Flags"=dword:A ;FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:02,00 ;Applies to all IPv4 hosts
    "Protocol"=dword:6 ;Applies to TCP Protocol
    "PortMin"=dword:7D0 ;Port range: 2000-2099
    "PortMax"=dword:833 ;
     
    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowedTCPOutbound]
    "Description"="Allowed outbound TCP ports"
    "Mask"=dword:24 ;FWM_PORT | FWM_PROTOCOL
    "Flags"=dword:12 ;FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00 ;Applies to all IPv4 hosts
    "Protocol"=dword:6 ;Applies to TCP Protocol
    "PortMin"=dword:7D0 ;Port range: 2000-2099
    "PortMax"=dword:833 ;
     

    Good luck,

    Michel Verhagen, eMVP
    Check out my blog: http://guruce.com/blog

    GuruCE
    Microsoft Embedded Partner
    http://guruce.com
    Consultancy, training and development services.
    Friday, July 9, 2010 12:18 AM
    Moderator