locked
UserMode won't Unblock RRS feed

  • Question

  • Hi there, I've a big Problem and I'm not able to get a solution :-(

    I'm writing a small tool to block all InternetTraffic exept a given Exe

    HANDLE hEngine=NULL; DWORD dwFwAPiRetCode = ERROR_BAD_COMMAND; //Initialization Engine try { cout << "Create engine\n"; dwFwAPiRetCode=FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT,NULL,NULL,&hEngine); if (dwFwAPiRetCode==ERROR_SUCCESS) cout << "ERROR_SUCCESS\n"; } catch (...) {} FWPM_SUBLAYER0 SubLayer = {0}; UuidCreate(&(SubLayer.subLayerKey)); SubLayer.displayData.name=L"TestLayer"; SubLayer.displayData.description=L"TestLayer"; SubLayer.flags=FWPM_SUBLAYER_FLAG_PERSISTENT; SubLayer.weight=0x01; cout << "Sublayer Add\n"; dwFwAPiRetCode=FwpmSubLayerAdd0(hEngine,&SubLayer,NULL); if (dwFwAPiRetCode==ERROR_SUCCESS) cout << "ERROR_SUCCESS\n"; else { cout << " Error\n"; } FWPM_FILTER0 Filter = {0}; FWPM_FILTER_CONDITION0 Condition[1]; memset(&Filter,0,sizeof(Filter)); Filter.action.type = FWP_ACTION_BLOCK; Filter.subLayerKey = SubLayer.subLayerKey; Filter.displayData.name = L"Test Sublayer"; Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0x01; Filter.layerKey=FWPM_LAYER_ALE_AUTH_CONNECT_V4 ;//FWPM_LAYER_INBOUND_TRANSPORT_V4 Filter.numFilterConditions=0; /// Filter.filterCondition=0; UINT64 filterId; cout << "Add filter\n"; dwFwAPiRetCode = FwpmFilterAdd0(hEngine,&Filter,NULL,&filterId); if (dwFwAPiRetCode==ERROR_SUCCESS) cout << "ERROR_SUCCESS\n"; else printf("Error code: %x \n",dwFwAPiRetCode); FWP_BYTE_BLOB *applicationID=NULL; dwFwAPiRetCode=FwpmGetAppIdFromFileName0(L"C:\\Program Files\\Internet Explorer\\iexplore.exe",&applicationID); cout << "RETCODE FwpmGetAppIdFromFileName0: " << dwFwAPiRetCode << endl;

    Condition[0].fieldKey=FWPM_CONDITION_ALE_APP_ID; Condition[0].matchType=FWP_MATCH_EQUAL; Condition[0].conditionValue.type=FWP_BYTE_BLOB_TYPE; Condition[0].conditionValue.byteBlob=applicationID; memset(&Filter,0,sizeof(Filter)); Filter.action.type = FWP_ACTION_PERMIT; Filter.subLayerKey = SubLayer.subLayerKey; Filter.displayData.name = L"Test Sublayer allow"; Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0x0F; Filter.layerKey=FWPM_LAYER_ALE_AUTH_CONNECT_V4 ;//FWPM_LAYER_INBOUND_TRANSPORT_V4 Filter.numFilterConditions=1; /// Filter.filterCondition=Condition; UINT64 filterIdAllow; cout << "Add filter\n"; dwFwAPiRetCode = FwpmFilterAdd0(hEngine,&Filter,NULL,&filterIdAllow); if (dwFwAPiRetCode==ERROR_SUCCESS) cout << "ERROR_SUCCESS\n"; else printf("Error code: %x \n",dwFwAPiRetCode); cin.get(); cout << "Deleting filter\n"; FwpmFilterDeleteById0(hEngine,filterId); FwpmFilterDeleteById0(hEngine,filterIdAllow); cout << "Deleting Sublayer\n"; FwpmSubLayerDeleteByKey0(hEngine,&SubLayer.subLayerKey); cout << "Close engine\n"; FwpmEngineClose0(hEngine); cin.get();


    The Problem is, even IE won't get unblocked! Any ideas what I'm doing wrong? THX

    Tuesday, April 9, 2013 9:17 AM

Answers

  • ping.exe does not actually send the network traffic.  That is done via the native ICMP socket within TCPIP, so exempting ping.exe does nothing (it's traffic will actually be attributed to SYSTEM).

    You mention you exempt your local subnet.  What layer are you doing this at?  When arbitrated, the exempted filter has to "win" in order for the traffic to be allowed. ( this means your exemption must exist @ ALE_AUTH_CONNECT_V4 as well )

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, April 12, 2013 9:27 PM
    Moderator

All replies

  • Nothing glaring stands out in your code. Have you made sure your filters are correct (Netsh WFP Show State).  Note that you are blocking essential networking services that ie depends on. (i.e. DNS).  I'd suggest for your testing to use a traffic generation tool such as NTTTCP, rather than IE, and use IP Addresses rather than hostname when doing the testing.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, April 11, 2013 10:00 PM
    Moderator
  • I've also excluded my local Network via an IPFilter with 192.168.0.0/255.255.0.0 to allow DNS-Access and tested it with something more simpler like the ping.exe, surely also with an IP (64 Bit and 32 Bit Ping.exe) ...

    ping heise.de

    Ping wird ausgeführt für heise.de [193.99.144.80] mit 32 Bytes Daten:
    Allgemeiner Fehler.
    Allgemeiner Fehler.
    Allgemeiner Fehler.
    Allgemeiner Fehler.

    Ping-Statistik für 193.99.144.80:
        Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
        (100% Verlust),

    I've also added the wfpstate.xml and testet it also on a clean Win 8 VM and Win 7 VM: https://dl.dropboxusercontent.com/u/8091706/wfpstate.zip


    • Edited by PArt8 Friday, April 12, 2013 7:55 AM
    Friday, April 12, 2013 7:51 AM
  • ping.exe does not actually send the network traffic.  That is done via the native ICMP socket within TCPIP, so exempting ping.exe does nothing (it's traffic will actually be attributed to SYSTEM).

    You mention you exempt your local subnet.  What layer are you doing this at?  When arbitrated, the exempted filter has to "win" in order for the traffic to be allowed. ( this means your exemption must exist @ ALE_AUTH_CONNECT_V4 as well )

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, April 12, 2013 9:27 PM
    Moderator