“What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)”
I come with new information about my findings. I simplified my used filters and have following conclusions:
1. In our application packets that don’t have to be allowed/blocked/intercepted by using our custom nt kernel filters have to be allowed to pass without interception (we **don’t** need them to be passed into user mode at all)
2. what I’ve observed is that any packet that doesn’t match a specific filter seem to be intercepted by default by ntkernel (passed to user mode). Is this true ?
3. In case 2 is true how do I define a “default” filter rule so that all non matched (by more priority filters) traffic gets allowed(FILTER_PACKET_PASS) and not intercepted(FILTER_PACKET_REDIRECT) ? We use now what’s bellow but seems to not match all (remaining) traffic:
STATIC_FILTER result = {0};
result.m_Adapter.QuadPart = 0;
result.m_ValidFields = 0;
result.m_FilterAction = FILTER_PACKET_PASS;
result.m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
return result;As you can see I use m_Adapter set to 0 in hope that default will be allow traffic for all network interfaces.
Any hints are appreciated.
Thanks
-Ghita