Application filtering vs Internet Filtering

Heya,
still awaiting clues on my previous post for ADSL problems, i've stumbled in another weirdness.
I've read in this forum that (and of course,this is how it should be) packet filtering (Internet filtering) takes precedence on the Application filtering.
Ok, so i created a packet rule which interdicts outbound traffic on port 80.
Then i started firefox, and allowed it to connect thru the Application filtering.
Result : firefox connects even if the packet rule inhibit port 80. The port80 packet rule log doesn't show anything.
Any clue ?

 

Hello I don't use firefox but I should,if the log is not showing anything please check that rule,if there are !! and !! or the speaker icon and it should report everthing,if you don't put !! & !! in the internet filtering rules it won't show up in a log file until you put !! & !! or the speaker icon and then you should see everything,if your using Phantoms rule-set there is a rule called www-http-1=80,it records everything.

 

Valerino, I do not confirm your observations. Browser enabled, traffic out TCP 80 blocked- browser cannot connect. Did you Apply your chages?

Network filtering has no priority over application filtering, they rather work in different places. Application filtering, as far as i can figure it out, watches connect() calls, while network filtering watches TCP/IP stack traffic.

X.

 

Sure i enabled the ! .....
Well, about how the thing work, application filtering works at TDI level (is a TDI filter), blocking application access on specific ports over a filtered protocol. The Internet filtering module as far as i can see is an NDIS intermetiade driver, so it works by watching all protocols and doing packet filtering. So, by design, NDIS receives data before TDI, so it should block port 80 even if i enable an internet browser at application (TDI) layer,simply because it receives data *before*.

Am i correct ? I do not see this behaviour, or something weird goin'on on here....
Could be the rules i added in my previous post, to let my ADSL work ? Could they enable everything, rendering the packet filter "disabled" ? I really can't understand......

valerio

 

For correctness, here's the simple "block http rule" i added...


[Rule0]
Statut=1
Valide=1
Direction=1
Filtrage=0
Avertir=1
Continuer=0
AlerteDlg=0
Name=Block HTTP
Description=Block HTTP traffic (try)
EthernetType=0
IPProtocol=1
EthernetAdd_PC_Criteria=0
EthernetAdd_PC0=0
EthernetAdd_PC1=0
EthernetAdd_PC2=0
EthernetAdd_PC3=0
EthernetAdd_PC4=0
EthernetAdd_PC5=0
EthernetAdd_Net_Criteria=0
EthernetAdd_Net0=0
EthernetAdd_Net1=0
EthernetAdd_Net2=0
EthernetAdd_Net3=0
EthernetAdd_Net4=0
EthernetAdd_Net5=0
IPAdd_PC_Criteria=0
IPAdd_PC_Bas0=0
IPAdd_PC_Bas1=0
IPAdd_PC_Bas2=0
IPAdd_PC_Bas3=0
IPAdd_PC_Haut0=0
IPAdd_PC_Haut1=0
IPAdd_PC_Haut2=0
IPAdd_PC_Haut3=0
IPAdd_Net_Criteria=0
IPAdd_Net_Bas0=0
IPAdd_Net_Bas1=0
IPAdd_Net_Bas2=0
IPAdd_Net_Bas3=0
IPAdd_Net_Haut0=0
IPAdd_Net_Haut1=0
IPAdd_Net_Haut2=0
IPAdd_Net_Haut3=0
IPFragmentOffset=0
IPFragmentFlags=0
TcpUdpPort_PC_Criteria=0
TcpUdpPort_PC_Bas=0
TcpUdpPort_PC_Haut=0
TcpUdpPort_Net_Criteria=1
TcpUdpPort_Net_Bas=80
TcpUdpPort_Net_Haut=0
IcmpCode_PC_Criteria=0
IcmpCode_PC=0
IcmpType_PC_Criteria=0
IcmpType_PC=0
BlockTCPServer=0
TCPFlagsVal=0
TCPFlagsMask=0
PluginForEdition=

[Nb rules]
Nb=1

 

I know only unix-type networking, but from what I know, TDI-NDIS processing order is exactly opposite:
(from a web page)
"Filtering of TDI operation is required for a variety of applications including:
Firewalls
Email Scanning
Monitoring Data (Not Packets) on Specified IP Addresses and Ports
Monitoring Data (Not Packet) on the IP Loopback Address (127.0.0.1)
"
X.

 

Well, it can't be the opposite In the network layer, NDIS is always the lowest layer. That's why firewalls are always implemented as NDIS intermediate (or hook) drivers, because you have access to the data coming directly from the wire, and you can see the full untouched packets. You can block it, or pass it to the layers (ndis protocols, like TCP) above. In this way firewalls protects the TCP stack. For accepted packets, the packet goes to the above layer TDI (like winsock, for example, is a TDI client). Here you have access to plain buffers, and you can see to which process a connection belongs, the data, and on which port. Finally, above winsock there's your application which uses the sockets,etc.... This on windows, of course ... donno on *nix, but NDIS afaik is always the lowest level in the network stack.

After this little precisation, why the hell i can't filter packets ? The only logs i can see are blocked UDP stuff (UDP:Any other UDP packet on port 1900, UPNP afaik), so the packet filter *somewhat* works.....

sigh

valerio

 

But PC outbound application goes from the highest level layer down. So, before connection reaches NDIS, it goes thru TDI. Exactly like ISO/OSI- you can filter out application in fe. session layer, so that it never reaches network layer. Actually, there are no TCP packets created if such filtering takes place. Take note, that LnS application filtering is outbound only filtering, for inbound traffic you need to define Network filtering rules. If it were in unix world, I would assume that LnS hooks into connect() call.
You are right about inbound packets, they are first processed by NDIS.

As for filtering- be sure that your rule is correct, that it has ! mark and that there is actually some traffic matching rule. After clicking Apply (if it is active, unghosted) allow a few seconds for the rule to catch up.

X.

 

heya,
what do you mean for "that there is actually some traffic matching rule" ?
I have authorized the browser in the "Application filtering", i created the "block TCP outbound port 80" rule in the Internet Filtering, i checked the ! to show the event in the log, enabled the rule and set it to "blocking". Is there anything else i must do ?

My point is : of course you're right saying that NDIS filter on outbound is (well,not really) nonsense, since the TDI filter can block access at the layer above. But, with my experience with other firewalls, if i enable an application to connect on a certain port (and this is always done with a TDI filter), *BUT* at the same time i put a blocking rule on that same port in the packet filter (NDIS level), the application pass the TDI layer check, but the NDIS layer blocks it since the rule matches the port. Result : the application can't connect even if it is a trusted application. This is what i'm trying to replicate. And i think LNS should work this way too....
I don't know if there's something wrong in my configuration .... i just set the enanched ruleset + those rules for my ADSL. that's all......

sorry for bothering with my stupid tests
valerio

 

Click Apply

All your assumptions about LnS are OK.

Switch to Advanced mode (Options->Advanced Options->check Advanced mode).
Create an empty network rule (Click Add, OK). Set it to Allow (no Stop), logging (!) and clear Stop processing option (yellow arrown downwards). Click Apply.
Now go to the log page and run your browser. Does HTTP traffic appears there?

X.

 

Re: Application filtering vs Internet Filtering - SOLVED!

Heya,
thanks for the advice.... enabling that "null" rule showed my that i was filtering the wrong NIC (?!?!), i had to filter the WAN miniport. Now all works as expected. Many many thanks!

valerio