Forum Replies Created
-
Posts
-
What a problems do you have when configuring firewall through Terminal Server Client session? The only possible problem is running the multiply instances of MMC console, because only one instance can work normally with firewall engine.
For the server environment I would recommend to run firewall as a service, starting MMC console only when you need to make some connfiguration changes. This would save you a lot of system resources.
I’m not sure but I think the problem is that LeechFTP uses passive FTP mode (bot connections are established by client).
In this case:
1) client sends command PASV to server.
2) server start listening newly allocated port and responses with command PORT with its number.
3) client connects to this port => data channel is established.I would recommend you to try some other FTP clients to check this issue, an example integrated into Windows http://ftp.exe. If I remember fine then explorer and IE also uses passive mode by default, but http://ftp.exe does not.
Localhost Monitor works at TDI level, so there are no actual packets there, but blocks of data instead. Some blocks can be splitted or merged, probably this is what you’ve expirienced…
Could you please be a little bit more specific? What do you mean by stating “not always known”?
At the time of connection establishment the IP address was not specified explicitely. Just treat 0.0.0.0 as anyt local IP.
“IP Address 0.0.0.0” is just any local IP address (it’s not always known from which concrete IP the connection will work from at the time of connection establishment).
Hmm, don’t you think that if you could disable/uninstall firewall remotely then this firewall won’t provide any security at all? If you have the proprietary rights on the remote system (administrator) then you can disable/uninstall firewall remotely (if it is configured to allow the connections you use for administrative purposes, otherwise you won’t be able to connect) or locally. Otherwise this is not possible.
There should be no problems specific to Windows 2003 Server… You should use the same registry settings as for Windows 2000/XP. I would recommend to remove everything (driver and registry entries), reboot and reinstall everything from the scracth.
Hope it helps…
In order to use WinpkFilter on Windows x64 a special 64 bit driver build is required. We are going to support Windows x64 after it will be finally released.
>Q. Has the Net Firewall been thoroughly tested on W2K Advanced Server?
Yes, it was. However, I should note that even thorough testing can’t cover all possible hardware/software configurations. It was even specially tested during 12 hours under heavy network load (using WAPT) trying to reproduce the problem you had. Regretfully with no result.
>Q. Is Net Firewall still in beta, and if so is the development of the application being aggressively pursued, or is it >considered a “stable version”? I am running version 2.2.1, which has the updated password protection.
It is stable and I have it running constantly on the few my own systems without having any problems like you described.
>Q. I am running F-Prot Anti Virus, a virus scanning agent, that I have been able to successfully employ as the agent >engine for Imail Server 8.1, has the software been tested running with F-Prot, although this is a not a packet filtering >application, and should not effect Net Firewall.
It’s hardly possible to test any product with all software available worldwide. One question, had you ever install other firewalls? If yes, are you sure that they were completely uninstalled? Some of firewalls forget or fail to remove their kernel components what can be followed by a certain conflicts.
>Q. The only other means of Internet security I employ is TCP/IP filtering, does this have any effect on the stability or >is it a possibility that employing TCP/IP filtering can create this problem?
NeT Firewall has not any known problems with MS native TCP/IP filtering, so it’s not an issue.
We are still trying to reproduce the problem you have, if you can provide more details about your system (hardware/software configuration, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices export and etc..) we would appreciate it.
1. What happen to the packets, which are received while I am reading from the queue? And if they are added to the queue, what happens to them when I purge the queue?
These packets are added to the queue until free intermediate buffers are avalaible, after this new packets are dropped. If you call FlushAdapterPacketQueue then all queued packets for the given adapter are deleted from the queue and associated resources are released.
2. I have posted my code also. Can somebody point out if there is anything I am doing wrong. I required I can post the fill source code?
Hmm, I would advise to remove all “printf” output from the packet processing code because it has a serious perfomance impact. Also, if your system is loadad with something else during packet processing I would recommend to increase packet processing code priority. If all above won’t improve the situation then I recommend to profile whole your application with one of the profilers available on the market (COmpuware TrueTime an example). If achieved perfomance is not enough yet, then the only thing to do is moving all your code into the kernel (direct integration into the WinpkFilter drivers).
3. Is it possible to achive what I mentioned in the scenario using winpkfilter at all? Or is there some other way I can achive this using winpkfilter or some other tool/library ?
Yes, everything described can be realized using WinpkFilter. Your scenario is not unique. I’ve been working about similar solutions before. Btw, since you process only outgoing packet in the code you have provided, then what flooding do you mean? Do you run some sort of local traffic generator (UDP sender or something)? If yes, then please take into account that this application also decrease overall perfomance of your filter, because it also neeeds processor time.
4. Am I doing too much processing while reading from the queue? I tested it on a pc which was doing lot of netbios flooding. It was stopping that, but it was not sending the valid packets to my gateway (ping to gateway).
I don’t think the code below does too much processing.
Hope it helps…
TDI filter (filter driver for the MSTCP devices DeviceTcp, DeviceUdp, DeviceIp, DeviceRawIp, DeviceMULTICAST) detects the network operation running in the context of calling thread/process. The same is true for the LSP DLL (another weaker approach for application level firewalls).
An example, it can be done like in the code below (I’m sorry C code only)
TCP_AdapterList AdList;
CNdisApi api;
ETH_REQUEST Request;
INTERMEDIATE_BUFFER PacketBuffer;
HANDLE hEvent[32];
DWORD dwAdapterCount;
int InitHandles()
{
api.GetTcpipBoundAdaptersInfo ( &AdList );
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
dwAdapterCount = AdList.m_nAdapterCount ;
// Create notification events
for(int nCount = 0; nCount < dwAdapterCount; nCount++)
{
hEvent[nCount] = CreateEvent(NULL, TRUE, FALSE, NULL);
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[nCount];
// Set event for helper driver
if ((!hEvent[nCount])||(!api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[nCount], hEvent[nCount])))
{
printf ("Failed to create notification event or set it for driver.n");
return 0;
}
api.SetAdapterMode(&Mode);
}
return 1;
}
void ReleaseHandles()
{
// This function releases packets in the adapter queue and stops listening the interface
ADAPTER_MODE Mode;
for(int nCount = 0; nCount < dwAdapterCount; nCount++)
{
Mode.dwFlags = 0;
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[nCount];
// Set NULL event to release previously set event object
api.SetPacketEvent(AdList.m_nAdapterHandle[nCount], NULL);
// Close Event
if (hEvent[nCount])
CloseHandle ( hEvent[nCount+1] );
// Set default adapter mode
api.SetAdapterMode(&Mode);
// Empty adapter packets queue
api.FlushAdapterPacketQueue (AdList.m_nAdapterHandle[nCount]);
}
}
int main(int argc, char* argv[])
{
ether_header* pEthHeader = NULL;
iphdr* pIpHeader = NULL;
DWORD dwEvent;
.............
if(!api.IsDriverLoaded())
{
printf ("Driver not installed on this system of failed to load.n");
return 0;
}
InitHandles();
atexit (ReleaseHandles);
while (TRUE)
{
dwEvent = WaitForMultipleObjects (dwAdapterCount, hEvent, FALSE, INFINITE );
ResetEvent(hEvent[dwEvent]);
// Initialize Request
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwEvent-1];
while(api.ReadPacket(&Request))
{
pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;
pIpHeader = (iphdr*)(PacketBuffer.m_IBuffer + ETHER_HEADER_LENGTH);
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
}
return 0;
}
