none
Windows Sandbox data path through WFP RRS feed

  • Question

  • Hello,

    I would like to be able to use firewall on Host machine to restrict access to network of applications running in Windows Sandbox (the Sandbox that was introduced in recent Windows 10 versions). 

    1) If the application in Sandbox does a network connection, which layers of WFP are triggered on the Host machine?
    I can receive data on L2 layers (like FWPS_LAYER_INBOUND_MAC_FRAME_ETHERNET), but nowhere else - I was hoping for FWPM_LAYER_IPFORWARD_* but traffic from Sandbox does not go there.

    2) Can firewall on host machine distinguish between Host traffic and Snadbox traffic in general?

    3) Can firewall on host machine distinguish between applications in the Sandbox?

    I believe that Windows Sandbox networking is the same as Hyper-V. Sandbox is connected through Hyper-v "Default Switch" which performs WinNAT, please correct me if I am wrong.

    thank you

    Friday, July 12, 2019 10:48 AM

All replies

  • Hi, matusp

    I think you can read this article first. It can help you understand Windows Sandbox clearly.

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Wednesday, July 17, 2019 10:12 AM
  • Hi Strive,

    thank you for the article, but unfortunately it does not mention networking at all. It just refers to windows containers. I have read chapter about Windows Container Networking, but it does not refer to WFP at all :( From my observations i can tell that Sandbox is connected through Hyper-v "Default Switch" which performs WinNAT. 

    The question then would be, how is the Hyper-v "Default Switch" (which performs WinNAT) connected to WFP? How does that network traffic traverse through WFP on host machine, where can I filter it?

    Caon you please point me to the documentation which deals with WFP and WinNAT?

    best regards,

    Matusp

    Wednesday, July 17, 2019 11:44 AM
  • Hi, matusp

    You can really host networking with WinNAT to attach VMs and Containers.

     The first step in creating a host network for VMs and containers is to create an internal Hyper-V virtual switch in the host. This provides Layer-2 (Ethernet) internal connectivity between the endpoints. In order to obtain external connectivity through a NAT (using WinNAT), we add a Host vNIC to the internal vSwitch and assign the default gateway IP address of the NAT to this vNIC. This essentially creates a router so that any network traffic from one of the endpoints that is destined for an IP address outside of the internal network (e.g. bing.com) will go through the NAT translation process. 

    Note: when the Windows container feature is installed, the docker daemon creates a default NAT network automatically when it starts. To stop this network from being created, make sure the docker daemon (dockerd) is started with the ‘-b “none”’ argument specified. 

    In addition to address translation, WinNAT also allows users to create static port mappings or forwarding rules so that internal endpoints can be accessed from external clients. Take for example an IIS web server running in a container attached to the default NAT network. The IIS web server will be listening on port 80 and so it requires that any connections coming in on a particular port to the host from an external client will be forwarded or mapped to port 80 on the container. Reference Figure 2 above to see port 8080 on the host being mapped to port 80 on the container. 

    More Details : Windows NAT(WinNAT) -- Capabilities and limitations

    Windows 8 and Windows Server 2012 introduce new Windows Filtering Platform  programming elements. New functionality includes the following:

    • Layer 2 filtering: Provides access to the L2 (MAC) layer, allowing filtering of traffic at that layer.
    • vSwitch filtering: Allows packets traversing a vSwitch to be inspected and/or modified. WFP filters or callouts can be used at the vSwitch ingress and egress.
    • App container management: Allows access to information about app containers and network isolation connectivity issues.
    • IPsec updates: Extended IPsec functionality including connection state monitoring, certificate selection, and key management.

    For specific API updates, please refer to:Windows 8 API updates

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, July 18, 2019 7:04 AM
  • Hello Strive

    thank you for your reply. I have found and read all the documents that you mentoined before asking my question. But none of them seems to give an answer :(

    I am looking for something like this: https://docs.microsoft.com/en-us/windows/win32/fwp/tcp-packet-flows with regard to Windows Sandbox networking or WinNAT.

    In another words I am asking which WFP layers on host machine should be triggered by communication generated from Sandbox?
    (i do not see Sandbox traffict at FWPM_LAYER_IPFORWARD_* nor FWPM_LAYER_INGRESS_VSWITCH_ETHERNET / FWPM_LAYER_EGRESS_VSWITCH_ETHERNET layers, is this OK?)

    best regards
    Matusp

    Thursday, July 18, 2019 10:09 AM
  • hm :( i already figured out why I am not getting data at FWPM_LAYER_INGRESS_VSWITCH_ETHERNET / FWPM_LAYER_EGRESS_VSWITCH_ETHERNET

    Problem is, that "Default Switch" can't have "Microsoft Windows Filtering Platform" extension enabled.

    PS C:\> Enable-VMSwitchExtension -VMSwitchName "Default Switch" -Name "Microsoft Windows Filtering Platform"
    fails with:
    The automatic Internet Connection Sharing switch cannot be modified.

    any ideas where else I can filter that Sandbox traffic? or why I am not getting it at FWPM_LAYER_IPFORWARD_* layers?

    Matusp

    Thursday, July 18, 2019 11:29 AM
  • Hi Matusp,

    AFAIK, there is no current way that hosts netsec stack can block or enforce traffic from the sandbox today. May I ask the scenario you are developing with for inspect the traffic? In-addition, is this an enterprise scenario?

    Regards & Fei


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 10, 2019 9:06 AM