It is currently Sat May 18, 2013 1:50 pm

Board index » NT Kernel Resources Forums » Support Forum




Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | Next topic 
Author Message
FyodorE
 Post subject: WinpkFilter static filters
PostPosted: Sun Jun 08, 2008 2:46 pm 
Offline

Joined: Sun Jun 08, 2008 2:34 pm
Posts: 2
Çäðàâñòâóéòå, óâàæàåìûå ðàçðàáîò÷èêè WinPkFilter.
ß ðàçðàáàòûâàþ ïðîãðàììó, êîòîðàÿ ïîçâîëÿåò ïîëüçîâàòåëÿì çàõîäèòü òîëüêî íà îïðåäåëåííûå âåá-ñàéòû (íåòàðèôèöèðóåìûå ó ïðîâàéäåðà) è áëîêèðóåò äîñòóï êî âñåì îñòàëüíûì.
Äåëàë íà îñíîâå ïðèìåðà filter, ãäå áëîêèðóåòñÿ äîñòóï ê ñàéòó ntkernel.com, ïîðò 80 è ïðîïóñêàþòñÿ âñå îñòàëüíûå ïàêåòû. Ìíå íàäî ñäåëàòü íàîáîðîò, íî ó ìåíÿ íå âûõîäèò (ëèáî ôèëüòð îòáðàñûâàåò âñå ïàêåòû, ëèáî âñå ïðîïóñêàåò).
Ïîæàëóéñòà, ïðèâåäèòå ïðèìåð êîäà, ãäå çàïîëíÿþòñÿ pFilters->m_StaticFilters òàê, ÷òî:
* Áëîêèðóþòñÿ âñå ïàêåòû íà âñå àäðåñà.
* Ïðîïóñêàþòñÿ/ïîëó÷àþòñÿ âñå ïàêåòû íà êàêîé-íèáóäü èíòåðíåò-àäðåñ, íàïðèìåð 64.251.25.36.

Êàê ÿ ïîíèìàþ, åñëè ñîåäèíåíèå ó ìåíÿ ÷åðåç ìàðøðóòèçàòîð, òî íóæíî äîáàâëÿòü ðàçðåøàþùåå ïðàâèëî 192.168.0.1?

Ïîæàëóéñòà, ïîìîãèòå ìíå ðàçîáðàòüñÿ â ýòîì âîïðîñå. Çàðàíåå îãðîìíîå ñïàñèáî.
Top
 Profile  
 
SerpentFly
 Post subject:
PostPosted: Mon Jun 09, 2008 10:43 am 
Offline
Site Admin

Joined: Wed Jul 26, 2006 12:22 pm
Posts: 507
Ну как-то вот так:

Code:
//**************************************************************************************
      // 1. Outgoing HTTP requests filter: PASS OUT TCP packets with destination IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
      // Common values
      pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
      pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
      pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
      pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

      // Network layer filter
      in_addr address;
      in_addr mask;

      // IP address 64.251.25.36
      address.S_un.S_un_b.s_b1 = 64;
      address.S_un.S_un_b.s_b2 = 251;
      address.S_un.S_un_b.s_b3 = 25;
      address.S_un.S_un_b.s_b4 = 36;

      // Network mask 255.255.255.255
      mask.S_un.S_un_b.s_b1 = 255;
      mask.S_un.S_un_b.s_b2 = 255;
      mask.S_un.S_un_b.s_b3 = 255;
      mask.S_un.S_un_b.s_b4 = 255;

      pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_DEST_ADDRESS;
      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_AddressType = IP_SUBNET_V4_TYPE;
      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

      // Transport layer filter
      pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
      pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
      pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
      pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

      //******************************************************************************************
      // 2. Incoming HTTP responses filter: PASS IN TCP packets with source IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
      // Common values
      pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
      pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
      pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
      pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

      pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
      pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_SRC_ADDRESS;
      pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_AddressType = IP_SUBNET_V4_TYPE;
      pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
      pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
      pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

      // Transport layer filter
      pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
      pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
      pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP
      pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80;

      //***************************************************************************************
      // 3. Drop all packets (skipped by previous filters) without processing in user mode
      // Common values
      pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
      pFilters->m_StaticFilters[2].m_ValidFields = 0;
      pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_DROP;
      pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;


Правда, при таком наборе фильтров, к ntkernel.com можно будет достучаться только по адресу http://64.251.25.36, потому что DNS пакеты буду блокироваться. Для того чтобы работала DNS нужно добавить правило разрешающее DNS пакеты. Роутер добавлять необязательно (если конечно он выполняет роль DNS сервера, то можно разрешить к нему полный доступ, и заморачиваться специфическими DNS правилами).
Top
 Profile  
 
FyodorE
 Post subject:
PostPosted: Mon Jun 09, 2008 12:39 pm 
Offline

Joined: Sun Jun 08, 2008 2:34 pm
Posts: 2
Спасибо за помощь, фильтр отлично заработал!
Единственное непонятно, почему PACKET_FLAG_ON_SEND и PACKET_FLAG_ON_RECEIVE нужно разносить в два разных правила, вместе в одном правиле они не работают.
Top
 Profile  
 
SerpentFly
 Post subject:
PostPosted: Tue Jun 10, 2008 4:21 pm 
Offline
Site Admin

Joined: Wed Jul 26, 2006 12:22 pm
Posts: 507
Ну это то как раз очень даже понятно, адрес/порт источника/назначения зависят от направления пакета. Можно было бы сделать более сложные правила (в том числе двунаправленные), но чем проще тем быстрее работает, да и в любом случае сложное правило можно записать как композицию простых.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 

Board index » NT Kernel Resources Forums » Support Forum

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Theme designed by stylerbb.net © 2008
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
All times are UTC + 2 hours