Filter setup to redirect everything except one ip/port

Home Forums Discussions Support Portal Filter setup to redirect everything except one ip/port

This topic contains 2 replies, has 2 voices, and was last updated by  stsf 2 years, 10 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #5417

    stsf
    Participant

    Hey guys, I ran into this problem trying to set up the following scenario – i used the C# packet filter code sample as my base and modified it (by the way – thank you for adding the C# filter code sample in the latest driver release)

    filter 1 – allow IP4 traffic to and from a particular ip/port (let’s say, 192.168.7.22 port 80) to pass
    Filter 2 – redirect all ipv4 TCP packets for processing in user mode
    filter 3 – pass all other packets

    What ends up happening is that the 192.168.7.22:80 packets are still passed to the second filter and therefore passed into user mode.
    I’m guessing the default behavior of a packet when it is getting filtered is to go filter by filter until it finds a “redirect” or “block” behavior

    If I try to switch filter 1 and 2 – i get the same behavior, because the packet is caught for a redirect in the tcp filter.

    Is there a way to set up thee filters so that the packets respond to the first filter they match up to – so that the 3 filter scenario described above is possible?

    Or is there an alternate way to set up the filters so that the desired behavior is achieved?

    Thanks in advance

    #7195

    Vadim Smirnov
    Moderator

    Packet is matched against the filters list and first matching filter action is applied. So there is probably something wrong with your first filter.

    #7196

    stsf
    Participant

    @SerpentFly wrote:

    Packet is matched against the filters list and first matching filter action is applied. So there is probably something wrong with your first filter.

    Yeah, just came here to say that i found out what was wrong a few minutes ago. In short, i was being stupid.

    I was using the “block ntkernel.com” filter as an example, and i changed its filter action to pass.
    That filter was set up to look at the destination address and destination ports.

    I had to set up another filter to catch source address and source ports, that solved the issue.

    So my new filter setup, for anyone interested in doing the same, is:

    filter 1 – pass tcp ipv4 packets with destination address of 192.168.7.22:80
    filter 2 – pass tcp ipv4 packets with source address of 192.168.7.22:80
    filter 3 – send all tcp ipv4 packets to user mode
    filter 4 – pass all packets

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.