實作 Teredo 的防火牆篩選
Windows 可讓應用程式設定通訊端選項,讓應用程式指出透過 Windows 篩選平台接收傳送至主機防火牆的 Teredo 流量明確意圖。 在 Windows 中,用來設定保護層級的通訊端選項可用來讓應用程式定義其願意接收的流量類型。 更具體來說,在涉及 Teredo 流量的案例中,會指定 IPV6_PROTECTION_LEVEL 通訊端選項。 建議主機防火牆實作維護下列篩選準則,以選擇性地允許應用程式的 Teredo 流量,同時針對任何應用程式預設封鎖流量,而不需要豁免。
Edge 周遊流量的預設封鎖篩選
主機防火牆必須一律維護ALE_AUTH_RECV_ACCEPT_V6篩選層內的預設區塊篩選準則,以符合指定的 介面類別型通道 和 通道類型 Teredo 條件的流量。 實作時,此篩選會指出系統中是否有邊緣周遊感知主機防火牆。 此篩選準則會視為主機防火牆與 Windows 之間的 API 合約。 根據預設,此篩選會封鎖邊緣周遊至任何應用程式的流量。
filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
filter.action.type = FWP_ACTION_BLOCK;
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = 0;
filter.flags = 0;
filter.numFilterConditions = 2; // Or 3 depending on including the loopback condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal Default Block";
filter.displayData.description = L"Teredo Edge Traversal Default Block Filter.";
// Match Interface type tunnel
filterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_UINT32;
filterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
// Match tunnel type Teredo
filterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
filterConditions[1].matchType = FWP_MATCH_EQUAL;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
// Having this condition is OPTIONAL, including this will automatically exempt
// loopback traffic to receive Teredo.
filterConditions[2].fieldKey = FWPM_CONDITION_FLAGS;
filterConditions[2].matchType = FWP_MATCH_FLAGS_NONE_SET;
filterConditions[2].conditionValue.type = FWP_UINT32;
filterConditions[2].conditionValue.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK;
注意
介面條件的「傳遞」、「抵達」和「下一個躍點」類別可用來控制跨介面的弱式主機模型和封包轉送。 上述範例會利用 'Delivery' 類別。 請檢閱在一般 篩選層提供的篩選準則 ,因為您的安全性設計必須將每個案例納入考慮。
允許篩選豁免應用程式
如果應用程式無法接收接聽通訊端上的 Teredo 流量,則必須在主機防火牆的ALE_AUTH_RCV_ACCEPT_V6篩選層內實作允許篩選。 請務必注意,視使用者或應用程式如何設定豁免而定,主機防火牆可以包含通訊端選項。
filter.layerKey = FWPM_LAYER_ALE_AUTH_RCV_ACCEPT_V6;
filter.action.type = FWP_ACTION_PERMIT;
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64= 1; // Use a weight higher than the default block
filter.flags = 0;
filter.numFilterConditions = 3; // Or 4 depending on the socket option based condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal Allow Application A";
filter.displayData.description = L"Teredo Edge Traversal Allow Application A Filter.";
filterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_UINT32;
filterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
filterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
filterConditions[1].matchType = FWP_MATCH_EQUAL;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
FWP_BYTE_BLOB byteBlob = {0};
filterConditions[2].fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterConditions[2].matchType = FWP_MATCH_EQUAL;
filterConditions[2].conditionValue.type = FWP_BYTE_BLOB_TYPE;
filterConditions[2].conditionValue.byteBlob = &byteBlob;
filterConditions[2].conditionValue.byteBlob->data = (uint8 *) wszApplicationA;
filterConditions[2].conditionValue.byteBlob->size = (wcslen(wszApplicationA) + 1)*sizeof(wchar_t);
// This filter scopes to exemption to ONLY IF the socket option is set, in other words
// application has explicitly opted in to receive Teredo traffic
filterConditions[3].fieldKey = FWPM_CONDITION_ALE_SIO_FIREWALL_SOCKET_PROPERTY;
filterConditions[3].matchType = FWP_MATCH_FLAGS_ALL_SET;
filterConditions[3].conditionValue.type = FWP_UINT32;
filterConditions[3].conditionValue.uint32 = FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC;
休眠注標篩選
Windows 中的 Teredo 服務會實作休眠模型。 在任何指定時間,如果沒有任何應用程式在已啟用邊緣周遊的 UDP 或 TCP 通訊端上接聽,服務就會移至休眠狀態。 若要讓休眠機制能夠運作,主機防火牆必須針對 TCP ALE_AUTH_LISTEN_V6 篩選層中指定的每個豁免應用程式維護圖說文字篩選,並針對 UDP 型應用程式ALE_RESOURCE_ASSIGNMENT_V6篩選層。 下列範例示範 TCP 應用程式的休眠圖說文字。
filter.layerKey = FWPM_LAYER_ALE_AUTH_LISTEN_V6;
// Use FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 for UDP based exemption
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
filter.action.calloutKey = FWPM_CALLOUT_EDGE_TRAVERSAL_ALE_LISTEN_V6;
// Use FWPM_CALLOUT_EDGE_TRAVERSAL_ALE_RESOURCE_ASSIGNMENT_V6 for UDP based exemption
filter.subLayerKey = FWPM_SUBLAYER_EDGE_TRAVERSAL;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = 1;
filter.flags = 0;
filter.numFilterConditions = 1; // 2 if including the socket option based condition
filter.filterCondition = filterConditions;
filter.displayData.name = L"Teredo Edge Traversal dormancy callout for app A";
filter.displayData.description = L"Teredo Edge Traversal dormancy callout filter for A.";
FWP_BYTE_BLOB byteBlob = {0};
filterConditions[0].fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_BYTE_BLOB_TYPE;
filterConditions[0].conditionValue.byteBlob = &byteBlob;
filterConditions[0].conditionValue.byteBlob->data = (uint8 *)wszApplicationA;
filterConditions[0].conditionValue.byteBlob->size = (wcslen(wszApplicationA) + 1)*sizeof(wchar_t);
// This filter scopes to exemption to ONLY IF the socket option is set, in other words
// application has explicitly opted in to receive Teredo traffic
filterConditions[1].fieldKey = FWPM_CONDITION_ALE_SIO_FIREWALL_SOCKET_PROPERTY;
filterConditions[1].matchType = FWP_MATCH_FLAGS_ALL_SET;
filterConditions[1].conditionValue.type = FWP_UINT32;
filterConditions[1].conditionValue.uint32 = FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC;