3

I'm attempting to set up some filters using WFP to block inbound connections to a local server (for example, a webserver listening on port 8080).

I've got a filter working which can block based on Remote Port, so I can stop processes on my machine from establishing any connections to port 8080, but I can't figure out how to block incoming connections from another machine based on the local port 8080?

Here's my code which works to block based on remote port: (It's C# using P/invoke but it's pretty much the same as if it were written in C++)

var RemotePort = 8080 # port to block

// connect to engine
var session = new Fwpm.FWPM_SESSION0 { flags = Fwpm.FWPM_SESSION_FLAG_DYNAMIC };
UInt32 engineHandle;
UnsafeNativeMethods.FwpmEngineOpen0(null, Fwpm.RPC_C_AUTHN_WINNT, IntPtr.Zero, session, out engineHandle

// create a subLayer to attach filters to
var subLayerGuid = Guid.NewGuid();
var subLayer = new Fwpm.FWPM_SUBLAYER0();
subLayer.subLayerKey = subLayerGuid;
subLayer.displayData.name = DisplayName;
subLayer.displayData.description = DisplayName;
subLayer.flags = 0;
subLayer.weight = 0x100;

UnsafeNativeMethods.FwpmSubLayerAdd0(engineHandle, subLayer, IntPtr.Zero)

var condition = new Fwpm.FWPM_FILTER_CONDITION0 {
    fieldKey = Fwpm.FWPM_CONDITION_IP_REMOTE_PORT,
    matchType = Fwpm.FWP_MATCH_TYPE.FWP_MATCH_EQUAL,
    conditionValue = {
        type = Fwpm.FWP_DATA_TYPE.FWP_UINT16,
        uint16 = RemotePort
    }
}

// create the filter itself
var fwpFilter = new Fwpm.FWPM_FILTER0();
fwpFilter.layerKey = Fwpm.FWPM_LAYER_ALE_AUTH_CONNECT_V4;
fwpFilter.action.type = Fwpm.FWP_ACTION_BLOCK;
fwpFilter.subLayerKey = subLayerGuid;

fwpFilter.weight.type = Fwpm.FWP_DATA_TYPE.FWP_EMPTY; // auto-weight.
fwpFilter.numFilterConditions = (uint)1;

var condsArray = new[]{ condition };
var condsPtr = SafeNativeMethods.MarshalArray(condsArray); // helper to create a native array from a C# one
fwpFilter.filterCondition = condsPtr;

fwpFilter.displayData.name = DisplayName;
fwpFilter.displayData.description = DisplayName;

// add the filter
UInt64 filterId = 0L;
UnsafeNativeMethods.FwpmFilterAdd0(engineHandle, ref fwpFilter, IntPtr.Zero, out filterId));

As mentioned above, this code does work to block connections with remote port of 8080. To block connections with Local Port 8080, I modified the code as follows:

var LocalPort = 8080;

var condition = new Fwpm.FWPM_FILTER_CONDITION0 {
    fieldKey = Fwpm.FWPM_CONDITION_IP_LOCAL_PORT,
    matchType = Fwpm.FWP_MATCH_TYPE.FWP_MATCH_EQUAL,
    conditionValue = {
        type = Fwpm.FWP_DATA_TYPE.FWP_UINT16,
        uint16 = LocalPort
    }
}

// create the filter itself
var fwpFilter = new Fwpm.FWPM_FILTER0();
fwpFilter.layerKey = Fwpm.FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;

MSDN implies that FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 is the right place to block inbound connections, however this doesn't work at all. I've tried FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 as well as a few other layers, but no matter what I've tried, I am always able to establish connections from another machine to a server on port 8080 on my machine.

Any help would be much appreciated

Orion Edwards
  • 121,657
  • 64
  • 239
  • 328

1 Answers1

2

You should be able to create that filter on any of the INBOUND or RECV layers that support the FWPM_CONDITION_IP_LOCAL_PORT condition, the resource to search for that is:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff549939%28v=vs.85%29.aspx

However, not all traffic passes through every layer, I am by no means an expert but one approach is to add a filter like that to every applicable layer (a half dozen or so filers) and see if that works. If so you then remove the filters one at a time till you find the set that was actually needed. There were 4 layers I needed on a recent project to stop all the traffic I was interested in.

One big caveat that may be worth noting is that traffic on localhost may not go through any WFP layers (or perhaps it was only inbound layers it skipped, I don't remember). So you can use WFP to prevent a remote connection to the port, but a local connection may still go through.

Dwayne
  • 73
  • 7