XP firewall's filtering level?

Discussion in 'other firewalls' started by wat0114, Dec 27, 2007.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Just a little experiment to check the filtering "level" of XP's firewall against a software firewall, with Jetico 2 being the choice. This is not a thread about pitting one firewall against another; I have no doubts about the inbound filtering effectiveness of XP's firewall being first-rate. I suppose what I'm trying to determine is at what layer of the OSI model does XP firewall filter at compared to some software firewalls.

    Using Wireshark to capture data, I placed my network adapter's ip address on the DMZ of my home router (DI-624). No web browsers or any kind of software running to communicate over the Internet. I'm only interested in collecting random Internet "noise". I have also erased (hopefully) any data that could cause privacy concerns.

    Third screenshot shows my adapter's properties (note the WinPcap network monitor driver).

    Test 1

    1. Disabled Jetico 2, enabled XP firewall.

    2. ~ 10 min later, Wireshark captures the data seen in the first screenshot.

    note the amount of data collected.

    Test 2

    3. Enabled Jetico 2. disabled XP firewall.

    4. ~30 min later (3x that of first scenario), Wireshark captures the data seen in the second screenshot.

    note the only data collected is ARP broadcasts between my adapter and router. Nothing else.

    The above two scenarios repeated exactly with same results.

    XP seems to filter after the adapter, whereas Jetico seems to filter it at the adapter level(sorry for the lack of technical info; I'm no expert at this).

    Does this look to be an advantage with software firewalls filtering at this level, maybe taking a load off the network adapter? I'm curious to see any comments.

    Attached Files:

    Last edited by a moderator: Dec 28, 2007
  2. Nebulus

    Nebulus Registered Member

    Jan 20, 2007
    European Union
    The second image shows that Jetico is probably using an NDIS intermediate driver. This means the data is filtered before it reaches the TCP/IP stack of the OS. XP firewall filters the data at a later time - if you want to see where is the WinXP firewall placed in the TCP/IP stack, you can check http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx.
    Last edited: Dec 31, 2007
  3. lucas1985

    lucas1985 Retired Moderator

    Nov 9, 2006
    France, May 1968
    Then, the network stack might process invalid/malformed/malicious packets without filtering? This open the door to attacks to the TCP/IP stack :blink:
Thread Status:
Not open for further replies.