为 Teredo 实现防火墙筛选器
Windows 允许应用程序设置套接字选项,允许应用程序指示通过 Windows 筛选平台接收发送到主机防火墙的 Teredo 流量的显式意图。 在 Windows 中,用于设置保护级别的套接字选项用于允许应用程序定义它愿意接收的流量类型。 更具体地说,在涉及 Teredo 流量的方案中,指定 IPV6_PROTECTION_LEVEL 套接字选项。 建议主机防火墙实现维护以下筛选器,以便有选择地允许应用程序的 Teredo 流量,同时默认阻止任何没有豁免的应用程序的流量。
边缘遍历流量的默认块筛选器
主机防火墙必须始终在ALE_AUTH_RECV_ACCEPT_V6筛选层中维护默认块筛选器,以便与指定的 接口类型隧道 和 隧道类型 Teredo 条件匹配的流量。 实现后,此筛选器指示系统中是否存在边缘遍历感知主机防火墙。 此筛选器被视为主机防火墙和 Windows 之间的 API 协定。 默认情况下,此筛选器将阻止流向任何应用程序的边缘遍历流量。
filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
filter.action.type = FWP_ACTION_BLOCK;
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = 0;
filter.flags = 0;
filter.numFilterConditions = 2; // Or 3 depending on including the loopback condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal Default Block";
filter.displayData.description = L"Teredo Edge Traversal Default Block Filter.";
// Match Interface type tunnel
filterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_UINT32;
filterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
// Match tunnel type Teredo
filterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
filterConditions[1].matchType = FWP_MATCH_EQUAL;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
// Having this condition is OPTIONAL, including this will automatically exempt
// loopback traffic to receive Teredo.
filterConditions[2].fieldKey = FWPM_CONDITION_FLAGS;
filterConditions[2].matchType = FWP_MATCH_FLAGS_NONE_SET;
filterConditions[2].conditionValue.type = FWP_UINT32;
filterConditions[2].conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
注意
接口条件的“Delivery”、“Arrival”和“Next Hop”类用于控制弱主机模型和跨接口的数据包转发。 上面的示例使用“Delivery”类。 请查看 WFP SDK 文档中 每个筛选层可用的筛选条件 ,因为安全设计必须考虑到每个情况。
允许筛选豁免应用程序
如果应用程序在侦听套接字上免除接收 Teredo 流量,则必须在主机防火墙上的ALE_AUTH_RCV_ACCEPT_V6筛选层中实现允许筛选器。 请务必注意,根据用户或应用程序配置豁免的方式,主机防火墙可以包含套接字选项。
filter.layerKey = FWPM_LAYER_ALE_AUTH_RCV_ACCEPT_V6;
filter.action.type = FWP_ACTION_PERMIT;
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64= 1; // Use a weight higher than the default block
filter.flags = 0;
filter.numFilterConditions = 3; // Or 4 depending on the socket option based condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal Allow Application A";
filter.displayData.description = L"Teredo Edge Traversal Allow Application A Filter.";
filterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_UINT32;
filterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
filterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
filterConditions[1].matchType = FWP_MATCH_EQUAL;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
FWP_BYTE_BLOB byteBlob = {0};
filterConditions[2].fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterConditions[2].matchType = FWP_MATCH_EQUAL;
filterConditions[2].conditionValue.type = FWP_BYTE_BLOB_TYPE;
filterConditions[2].conditionValue.byteBlob = &byteBlob;
filterConditions[2].conditionValue.byteBlob->data = (uint8 *) wszApplicationA;
filterConditions[2].conditionValue.byteBlob->size = (wcslen(wszApplicationA) + 1)*sizeof(wchar_t);
// This filter scopes to exemption to ONLY IF the socket option is set, in other words
// application has explicitly opted in to receive Teredo traffic
filterConditions[3].fieldKey = FWPM_CONDITION_ALE_SIO_FIREWALL_SOCKET_PROPERTY;
filterConditions[3].matchType = FWP_MATCH_FLAGS_ALL_SET;
filterConditions[3].conditionValue.type = FWP_UINT32;
filterConditions[3].conditionValue.uint32 = FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC;
休眠标注筛选器
Windows 中的 Teredo 服务实现休眠模型。 在任何给定时间,如果没有应用程序侦听启用了边缘遍历的 UDP 或 TCP 套接字,则服务将进入休眠状态。 若要使休眠机制正常工作,主机防火墙必须为 TCP 的ALE_AUTH_LISTEN_V6筛选层中指定的每个豁免应用程序维护标注筛选器,并为基于 UDP 的应用程序ALE_RESOURCE_ASSIGNMENT_V6筛选层。 下面的示例演示 TCP 应用程序的休眠标注。
filter.layerKey = FWPM_LAYER_ALE_AUTH_LISTEN_V6;
// Use FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 for UDP based exemption
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
filter.action.calloutKey = FWPM_CALLOUT_EDGE_TRAVERSAL_ALE_LISTEN_V6;
// Use FWPM_CALLOUT_EDGE_TRAVERSAL_ALE_RESOURCE_ASSIGNMENT_V6 for UDP based exemption
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = 1;
filter.flags = 0;
filter.numFilterConditions = 1; // 2 if including the socket option based condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal dormancy callout for app A";
filter.displayData.description = L"Teredo Edge Traversal dormancy callout filter for A.";
FWP_BYTE_BLOB byteBlob = {0};
filterConditions[0].fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_BYTE_BLOB_TYPE;
filterConditions[0].conditionValue.byteBlob = &byteBlob;
filterConditions[0].conditionValue.byteBlob->data = (uint8 *)wszApplicationA;
filterConditions[0].conditionValue.byteBlob->size = (wcslen(wszApplicationA) + 1)*sizeof(wchar_t);
// This filter scopes to exemption to ONLY IF the socket option is set, in other words
// application has explicitly opted in to receive Teredo traffic
filterConditions[1].fieldKey = FWPM_CONDITION_ALE_SIO_FIREWALL_SOCKET_PROPERTY;
filterConditions[1].matchType = FWP_MATCH_FLAGS_ALL_SET;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC;