locked
Network operations have begin before Windows firewall works? RRS feed

  • Question

  • Hi,

    I have written a WFP driver, in test, I find before my callout functions is registered successfully, some network operation from service have began.

    For verifing it, I reproduce the issue with windows firewall.

    Test steps

    1) In machine1, add inbound rule in windows firewall, any program, any port, any protocol, action=block.

    2) In machine1, add outbound rule in windows firewall, any program, any port, any protocol, action=block.

    3) Install COMODO firewall( disable firewall, only for monitoring network action).

    4) In another machine, launch wireshark, set filtering condition to capture first machine's packet.

    5) Reboot machine1.

    6) Open active conections of COMODO firewall in machine1.

     

    Expected  result:

    1) From active connection GUI of COMODO firewall, there is no connection.

    2) From wireshark, there is no packet communication.

     

    Actual result:

    1)From active connection GUI of COMODO firewall, there are lots connections.(usually outbound packets)

    2)From wireshark, there are lots outbound packets.

     

    I don't know why this happen. Please help me explain it. if my test step is error, please point it to me.

     

     

    Thanks,

    Rick Wang

     

    Thursday, April 28, 2011 3:21 AM

Answers

  • This is by design.  Communication can occur before your driver is loaded.  in fact as soon as TCP/IP loads, communication is possible.  This is why you need to implement what is called boot-time policy as well as what to do if your callout are not registered via the FWPM_FILTER flags.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, April 28, 2011 10:17 PM
    Moderator

All replies

  • This is by design.  Communication can occur before your driver is loaded.  in fact as soon as TCP/IP loads, communication is possible.  This is why you need to implement what is called boot-time policy as well as what to do if your callout are not registered via the FWPM_FILTER flags.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, April 28, 2011 10:17 PM
    Moderator
  • Thanks, Dusty Harper.

    Based on your suggestion, I can add filter with LWF architecture or TDI architecture before WFP driver works, and it can meet requirement.

    But I remember I ever saw something like "TDI and LWF both will be removed in future OS version" somewhere, if it is true, once LWF is dumped, hwo can I implement the function, please give me some advice about it.

     

    Thanks again.

    Rick Wang

    Friday, April 29, 2011 2:16 AM
  • I have gotten help information from http://social.msdn.microsoft.com/Forums/en-GB/wfp/thread/1d412488-9afb-4d25-8154-f708170fc271, I will try to test it with FWPM_FILTER_FLAG_BOOTTIME. Thanks a lot!
    Friday, April 29, 2011 6:39 AM
  • But I remember I ever saw something like "TDI and LWF both will be removed in future OS version" somewhere, if it is true, once LWF is dumped, hwo can I implement the function, please give me some advice about it. 

    From DDC 2008 Windows Filtering Platform Enhancements in Windows 7 presentation http://download.microsoft.com/download/d/1/d/d1dd7745-426b-4cc3-a269-abbbe427c0ef/net-t722_ddc08.pptx

    Designed to eventually replace filtering technologies such as:

    • Transport Driver Interface (TDI)
    • NDIS Light Weight Filtering (LWF)
    • WinSock Layered Service Provider (LSP)

    I would assume that LWFs won't be removed until new features have been added to WFP.

    -- Antti

    Friday, April 29, 2011 7:41 AM
  • We have only announced deprecation of the technologies.  They will not be removed until feature parity can be achieved.  Even then for some of the technologies, they will not be removed, only advised not to be used for particular scenarios.

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, April 30, 2011 2:30 AM
    Moderator