Simple TDI Based Open Source Personal Firewall for NT4/2000

G

Gordon Darling

"Simple TDI Based Open Source Personal Firewall for NT4/2000

[download] (115K, full sources included, version 1.3, updated 2003-06-23)

ABSTRACT

This is simple personal firewall which contains of TDI filter
driver and user-mode helper service. TDI filter driver can deny incoming
and outgoing TCP connections, UDP packets and packets sent via raw sockets
and log their activity. User-mode helper service gets logs from driver and
writes them to file or event log. It also parses configuration file and
send filtering rules to driver. Filtering rules can be process-specific.
Full sources are included.

HOT NEWS!

2003-06-23

* drv\filter.c: fixed bug with wrong size check of helper-service buffer;
* drv\ev_dg.c: fixed bug with missing of SID information for incoming datagrams.

See also CHANGELOG section below.

INSTALLATION

1. Run install.bat or install_nt4.bat for NT4
2. Edit %SystemRoot%\system32\drivers\etc\tdi_fw.conf for your taste
3. Restart Windows

HOW DOES IT WORK?

This driver hooks "\Device\Tcp", "\Device\Udp" and "\Device\RawIp" TDI
devices by IoAttachDevice() and filters TDI_CONNECT, TDI_SEND_DATAGRAM,
TDI_RECEIVE_DATAGRAM I/O controls and TDI_EVENT_CONNECT,
TDI_EVENT_RECEIVE_DATAGRAM event handlers.

The driver has also alternate TDI hooking tehnique unused by default.
Driver patches DRIVER_OBJECT of tcpip.sys driver and filter requests. To
use it uncomment define of USE_TDI_FILTERING is sources file and rebuild
driver.

F.A.Q.

Q. What does it mean "TDI Based"?

A. It means that firewall works between TCP/IP stack and applications.
The main advantage of using this technique instead of simple packet filter
is stateful TCP connections inspection based on real OS TCP/IP stack. And
the disadvantage is that this firewall can't filter packets before TCP/IP
stack. I.e. you can't filter ICMP packets and another network packets
which invisible to applications.

Q. Why it's "personal"?

A. That's because it can't filter forwarding/routing packets. But you can
setup it on multihomed hosts used as proxies. When forwarding isn't by
TCP/IP stack the filter works OK.

Q. What is raw sockets?

A. Raw sockets are used as one of ways in Windows NT4 to send and receive
ICMP packets for applications. Windows 2000 has ability to send and
receive any (quite) packets via raw sockets for applications and even
ability to sniff packets on network. If you don't use applications which
require raw sockets you can deny using of them. But applications can send
any packets to network bypassing TCP/IP stack and this firewall can't help
with it."

http://ntdev.h1.ru/tdi_fw.html

Regards
Gordon
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top