ALE Layers
The Application Layer Enforcement (ALE) consists of several filtering layers and many matching discard layers. All the Windows Filtering Platform (WFP) filtering engine layers, including ALE, are described in Filtering Layer Identifiers. This topic contains a more detailed description of the filtering layers that are part of ALE.
RESOURCE_ASSIGNMENT
A filter at the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6} layer is matched for network bind operations, explicit or implicit.
If a filter at this layer is matched to authorize raw socket creation, the FWP_CONDITION_FLAG_IS_RAW_ENDPOINT flag will be set.
If a filter at this layer is matched to authorize promiscuous mode receiving, the FWP_CONDITION_ALE_PROMISCUOUS_MODE field will be set to SIO_RCVALL. For a description of SIO_RCVALL, see WSAIoctl.
Note
This is the only layer where promiscuous mode can be filtered.
If no port is specified during bind(), that is, port is set to 0 (zero), then the TCP/IP stack will select a port from the dynamic port range (19152–65535). The selected port will be classified at this layer along with the FWP_CONDITION_FLAG_IS_WILDCARD_BIND flag.
If the local address is not specified in the bind() call, the local address field is set to FWP_EMPTY.
AUTH_LISTEN
A filter at the FWPM_LAYER_ALE_AUTH_LISTEN_V{4|6} layer is matched for TCP listen() calls.
AUTH_RECV_ACCEPT
A filter at the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layer is matched for TCP accept() calls, for first UDP packets (unicast) from a unique remote address/port tuple, and for first inbound non-error ICMP messages (unicast) with a unique ICMP type, code, and ID.
Note
Protocols that are not TCP or ICMP are treated like UDP.
TCP packets received by raw sockets are handled similarly to UDP traffic. That is, only the first TCP send() and the first TCP recv() over raw sockets will be filtered.
AUTH_CONNECT
A filter at the FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} layer is matched for TCP connect() calls, for first UDP packets sent to a unique remote address and port tuple, and for first outbound non-error ICMP messages with a unique ICMP type, code, and ID.
Note
Protocols that are not TCP or ICMP are treated like UDP.
TCP packets sent by raw sockets are handled similarly to UDP traffic. That is, only the first TCP send() and the first TCP recv() over raw sockets will be filtered.
FLOW_ESTABLISHED
A filter at the FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4|6} layer is matched after a TCP three-way handshake has successfully completed. For non-TCP traffic, the filter is matched immediately after filters from AUTH_RECV_ACCEPT or AUTH_CONNECT layers are matched.
A filter at this layer should not return Block or Permit.
This layer is used by callout drivers to track connection state, described in detail in the Windows Driver Kit documentation.
RESOURCE_RELEASE
A filter at the FWPM_LAYER_ALE_RESOURCE_RELEASE_V{4|6} layer is matched after resources that were allocated via RESOURCE_ASSIGNMENT have been freed.
ENDPOINT_CLOSURE
A filter at the FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V{4|6} layer is matched when a connected TCP flow or UDP sockets endpoint is closed.
CONNECT_REDIRECT
A filter at the FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6} layer allows for modification of remote addresses and ports. The outbound connection will be redirected for the duration of that connection.
BIND_REDIRECT
A filter at the FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} layer allows for modification of the underlying socket's local address and ports. The local socket will be redirected for the lifetime of the socket
ALE DISCARD Layers
For each of the ALE layers described above the filtering engine contains a matching discard layer. The ALE discard layers are used by callouts for logging purposes. Packets and indications that have been discarded at one of the ALE filtering layers are indicated to the matching ALE discard layer.
Related topics