Filter setup to redirect everything except one ip/port

Home Forums Discussions Support Filter setup to redirect everything except one ip/port

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • December 17, 2014 at 2:34 am #5417
    stsf
    Participant

      Hey guys, I ran into this problem trying to set up the following scenario – i used the C# packet filter code sample as my base and modified it (by the way – thank you for adding the C# filter code sample in the latest driver release)

      filter 1 – allow IP4 traffic to and from a particular ip/port (let’s say, 192.168.7.22 port 80) to pass
      Filter 2 – redirect all ipv4 TCP packets for processing in user mode
      filter 3 – pass all other packets

      What ends up happening is that the 192.168.7.22:80 packets are still passed to the second filter and therefore passed into user mode.
      I’m guessing the default behavior of a packet when it is getting filtered is to go filter by filter until it finds a “redirect” or “block” behavior

      If I try to switch filter 1 and 2 – i get the same behavior, because the packet is caught for a redirect in the tcp filter.

      Is there a way to set up thee filters so that the packets respond to the first filter they match up to – so that the 3 filter scenario described above is possible?

      Or is there an alternate way to set up the filters so that the desired behavior is achieved?

      Thanks in advance

      December 17, 2014 at 8:48 am #7195
      Vadim Smirnov
      Keymaster

        Packet is matched against the filters list and first matching filter action is applied. So there is probably something wrong with your first filter.

        December 17, 2014 at 3:47 pm #7196
        stsf
        Participant

          @SerpentFly wrote:

          Packet is matched against the filters list and first matching filter action is applied. So there is probably something wrong with your first filter.

          Yeah, just came here to say that i found out what was wrong a few minutes ago. In short, i was being stupid.

          I was using the “block ntkernel.com” filter as an example, and i changed its filter action to pass.
          That filter was set up to look at the destination address and destination ports.

          I had to set up another filter to catch source address and source ports, that solved the issue.

          So my new filter setup, for anyone interested in doing the same, is:

          filter 1 – pass tcp ipv4 packets with destination address of 192.168.7.22:80
          filter 2 – pass tcp ipv4 packets with source address of 192.168.7.22:80
          filter 3 – send all tcp ipv4 packets to user mode
          filter 4 – pass all packets

        • Author
          Posts
        Viewing 3 posts - 1 through 3 (of 3 total)
        • You must be logged in to reply to this topic.