Teredo 的 Windows 篩選平台例外狀況
允許應用程式透過防火牆透過 Teredo 接收未經要求流量的例外狀況,必須使用 Windows 篩選平台 API 來建立。 這可藉由在 ALE 的 Teredo Sublayer 上開啟傳入和傳出應用程式型例外狀況, (應用程式 < 應用程式名稱 >) IPv6 流量。 這可確保只有具有 Teredo 例外狀況的應用程式可以使用 Teredo。 在建立這些例外狀況時,應該注意。 使用一般 「 * 」 (所有) 選項可能會允許未向 Teredo 子圖層或通道流量註冊的程式通過防火牆,並造成安全性威脅。
在任何情況下,至少需要一個封鎖的應用程式,但防火牆可以新增零或多個允許的應用程式,視需要允許的應用程式數目而定。
下列範例示範如何使用一個允許和一個區塊。
/*--
Routine Description:
Adds the necessary filters to permit specific applications and block all other
via the Windows Filtering Platform (WFP).
Arguments:
[in] HANDLE engineHandle - Handle to the base firewall engine.
[in] FWP_BYTE_BLOB* applicationId - Identifier for this application.
Return Value:
NO_ERROR or a specific Result
--*/
DWORD Result = NO_ERROR;
FWPM_FILTER0 Filter;
FWPM_FILTER_CONDITION0 FilterConditions[3]; // We only need three.
DWORD TempResult;
FWP_BYTE_BLOB* applicationId;
printf("Starting Transaction\n");
Result = FwpmTransactionBegin0(engineHandle, 0);
if (NO_ERROR != Result)
{
goto abort;
}
printf("Successfully Started Transaction\n");
RtlZeroMemory(&Filter, sizeof(FWPM_FILTER0));
Filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
Filter.displayData.name = L"Teredo Filter for Application Specific Permit";
Filter.displayData.description = L"Implement Teredo Filter for Application Specific Permit at the Recv Accept layer";
Filter.action.type = FWP_ACTION_PERMIT;
Filter.subLayerKey = FWPM_SUBLAYER_TEREDO;
Filter.weight.type = FWP_EMPTY; // auto-weight
Filter.filterCondition = FilterConditions;
Filter.numFilterConditions = 3;
RtlZeroMemory(FilterConditions, sizeof(FilterConditions));
//
// Enable this for IfType == Tunnel, TunnelType == Teredo.
//
FilterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
FilterConditions[0].matchType = FWP_MATCH_EQUAL;
FilterConditions[0].conditionValue.type = FWP_UINT32;
FilterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
//
// Enable this for IfType == Tunnel, TunnelType == Teredo.
//
FilterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
FilterConditions[1].matchType = FWP_MATCH_EQUAL;
FilterConditions[1].conditionValue.type = FWP_UINT32;
FilterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
//
// Add a permitted application.
//
FilterConditions[2].fieldKey = FWPM_CONDITION_ALE_APP_ID;
FilterConditions[2].matchType = FWP_MATCH_EQUAL;
FilterConditions[2].conditionValue.type = FWP_BYTE_BLOB_TYPE;
FilterConditions[2].conditionValue.byteBlob = applicationId;
printf("Adding Recv Accept Application specific V6 Teredo Filter.\n");
Result = FwpmFilterAdd0(engineHandle,
&Filter,
NULL,
NULL);
if (NO_ERROR != Result)
{
goto abort;
}
printf("Successfully added Recv Accept Application specific V6 Teredo Filter.\n");
Filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
Filter.displayData.name = L"Teredo Filter for Blocking other applications";
Filter.displayData.description = L"This blocks any other traffic coming in over the Teredo interface that hasn't explicitly been permitted.";
Filter.action.type = FWP_ACTION_BLOCK;
Filter.subLayerKey = FWPM_SUBLAYER_TEREDO;
Filter.weight.type = FWP_EMPTY; // auto-weight
Filter.filterCondition = FilterConditions;
Filter.numFilterConditions = 2;
RtlZeroMemory(FilterConditions, sizeof(FilterConditions));
//
// Enable this for IfType == Tunnel, TunnelType == Teredo.
//
FilterConditions[0].fieldKey = FWPM_CONDITION_INTERFACE_TYPE;
FilterConditions[0].matchType = FWP_MATCH_EQUAL;
FilterConditions[0].conditionValue.type = FWP_UINT32;
FilterConditions[0].conditionValue.uint32 = IF_TYPE_TUNNEL;
//
// Enable this for IfType == Tunnel, TunnelType == Teredo.
//
FilterConditions[1].fieldKey = FWPM_CONDITION_TUNNEL_TYPE;
FilterConditions[1].matchType = FWP_MATCH_EQUAL;
FilterConditions[1].conditionValue.type = FWP_UINT32;
FilterConditions[1].conditionValue.uint32 = TUNNEL_TYPE_TEREDO;
printf("Adding Recv Accept block all non-permitted V6 Teredo Filter.\n");
Result = FwpmFilterAdd0(engineHandle,
&Filter,
NULL,
NULL);
if (NO_ERROR != Result)
{
goto abort;
}
printf("Successfully added Recv Accept block all non-permitted V6 Teredo Filter.\n");
printf("Committing Transaction\n");
Result = FwpmTransactionCommit0(engineHandle);
if (NO_ERROR == Result)
{
printf("Successfully Committed Transaction\n");
}
goto cleanup;
abort:
printf("Aborting Transaction\n");
TempResult = FwpmTransactionAbort0(engineHandle);
if (NO_ERROR == TempResult)
{
printf("Successfully Aborted Transaction\n");
}
cleanup:
return Result;