Forum Replies Created
-
Posts
-
Personally I use this one
//
// Function recalculates IP checksum
//
VOID
RecalculateIPChecksum (
iphdr_ptr pIpHeader
)
{
unsigned short word16;
unsigned int sum = 0;
unsigned int i = 0;
PUCHAR buff;// Initialize checksum to zero
pIpHeader->ip_sum = 0;
buff = (PUCHAR)pIpHeader;// Calculate IP header checksum
for (i = 0; i < pIpHeader->ip_hl*sizeof(DWORD); i=i+2)
{
word16 = ((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
sum = sum+word16;
}// keep only the last 16 bits of the 32 bit calculated sum and add the carries
while (sum>>16)
sum = (sum & 0xFFFF)+(sum >> 16);// Take the one’s complement of sum
sum = ~sum;pIpHeader->ip_sum = htons((unsigned short) sum);
}NDIS_FLAGS_DONT_LOOPBACK and NDIS_FLAGS_SKIP_LOOPBACK prevents the packet from being indicated back. However, these flags are OS/NDIS specific. You can see some details here http://www.ndis.com/papers/loopback.htm
Could you please post the rule you have created and short description what it is supposed to do, probably there is something wrong with it.
Why only TCP/IP adapters can be filtered?
It is by driver design. However, driver can be extended to work below other protocols in addition to TCP/IP.
For example, you can add some flag to internal structure of packet in driver code and when program try send non TCP/IP packet to stack, driver can detect this by flag and just drop this packet…
TCP/IP is the primary protocol in the meantime and WinpkFilter main purpose is modification of it’s behaviour on different ways (firewall, NAT, VPN and etc…). Filtering absolutely all protocols on the system would cause a real mess and perfomance degradation (protocols can be joint into the stacks in the form of IM drivers, like the bridge you have mentioned).
WinpkFilter driver works between TCP/IP stack and it’s bound adapters, it does not filter non TCP/IP interfaces. As I understand you miss packets which are routed by network bridge and never reach TCP/IP stack. This is just how it should work.
However, driver can be modified to additionally support filtering between the bridge and real network interfaces below the bridge, it just requires some modifications in driver itself. If you own Source Code license you can easily do required modifications yourself, I think it should be enough to add network bridge protocol name to the list of filtered protocols.
Could you please provide more details? What OS you have expirienced this behaviour with? Is it incoming or outgoing ARP request? What network media do you use. Have you seen four response packets in WinpkFilter of using any network sniffer?
Where can I get the “virtual network interface” you mentioned ? Is it part of windows ?
Windows has built-in virtual loopback adapter, but you can make your own using one of the DDK samples.
In the meantime WinCE is not supported. There is a chance that it will be supported in the future if there is enough interest to this.
Hello Roelof,
WinpkFilter drivers works on the bottom of the Windows network stack (below TCP/IP), but application layer of Windows XP firewall works on the top of network stack (otherwise it won’t be able to control applications network access). So I don’t think that there is any easy solution to this problem.
However, may be setting up the virtual network interface, disabling Windows firewall for it and bridging it to the real network interface using WinpkFilter can solve the problem. It’s just the first idea, may be some other tricks are also possible…
Hope it helps…
You can also use medium type. See parameters passed/returned to/from NdisOpenAdapter: SelectedMediumIndex, MediumArray.
There is also a chance that you system is heavily loaded and user mode application can’t read driver log fast enough. In this case driver’s internal packet log is overloaded and it may drop some data blocks.
When you set High Security level then only packets are passed only there is a corresponding allow rule exists. So there is no wonder that your packets were blocked.
If you server works as an Internet Gateway using 3rd Stealth Level for the external card would be enough, by default all outgoing connnections are allowed but all incoming packets are blocked unless they belong to one of the locally established connections. However, this mode is strict enough, so some complex protocols which use multiply streams may have problems with it. If you use any of them you’d better use Stealth Level 2 or even Stealth Level 1.
High Security level is the best mode for the stand alone server which provides some certain services, like HTTP, FTP, e-mail and etc..
What a problems do you have when configuring firewall through Terminal Server Client session? The only possible problem is running the multiply instances of MMC console, because only one instance can work normally with firewall engine.
For the server environment I would recommend to run firewall as a service, starting MMC console only when you need to make some connfiguration changes. This would save you a lot of system resources.
I’m not sure but I think the problem is that LeechFTP uses passive FTP mode (bot connections are established by client).
In this case:
1) client sends command PASV to server.
2) server start listening newly allocated port and responses with command PORT with its number.
3) client connects to this port => data channel is established.I would recommend you to try some other FTP clients to check this issue, an example integrated into Windows http://ftp.exe. If I remember fine then explorer and IE also uses passive mode by default, but http://ftp.exe does not.
