Click here to Skip to main content
11,708,312 members (67,925 online)
Click here to Skip to main content

Firewall using Vista's Windows Filtering Platform APIs

, 2 Sep 2008 CPOL 71.2K 5.1K 39
Rate this:
Please Sign up or sign in to vote.
An article on using Windows Filtering Platform of Vista to write a simple firewall

Introduction

Windows Vista contains a completely new and improved packet filtering engine called Windows Filtering Platform (WFP). Till now, Windows 2000/XP/2003 gave us the packet filtering APIs for implementing simple firewalls or packet filtering applications. However, these packet filtering APIs are discontinued in Vista in favor of WFP. So, here’s an article which shows how to use WFP APIs to write a firewall!

Windows Filtering Platform APIs

These are some of the WFP APIs that we will be using to write our firewall:

  • FwpmEngineOpen0 - This API is used to create a session with the Windows packet filtering engine.
  • FwpmSubLayerAdd0 - This API adds a new sub-layer to the packet filtering engine.
  • FwpmFilterAdd0 - This API adds filters (rules) to a sub-layer. This is analogous to PfAddFiltersToInterface API.
  • FwpmFilterDeleteById0 - This API removes existing filters from a sub-layer.
  • FwpmSubLayerDeleteByKey0 - This API deletes the sub-layer which was added by FwpmSubLayerAdd0.
  • FwpmEngineClose0 - This API closes the session opened by FwpmEngineOpen0.

Here are the steps to write a firewall using the above mentioned APIs:

  • Create a session using FwpmEngineOpen0.
  • Add a sub-layer using FwpmSubLayerAdd0.
  • Now, add filters using FwpmFilterAdd0. If you have "n" filters, then this API needs to be called "n" times.

That's it! Now, check whether you are able to access the blocked IP address via the Web browser.

Using the Code

This article contains a sample class (PacketFilter class) which encapsulates the WFP APIs. The class declaration is as shown below:

class PacketFilter
{
private:
    // Firewall engine handle.
    HANDLE m_hEngineHandle;

    // Firewall sublayer GUID.
    GUID m_subLayerGUID;

    // List of filters.
    IPFILTERINFOLIST m_lstFilters;

    // Method to get byte array format and hex format IP address from string format.
    bool ParseIPAddrString( char* szIpAddr, UINT nStrLen, 
        BYTE* pbHostOrdr, UINT nByteLen, ULONG& uHexAddr );

    // Method to create/delete packet filter interface.
    DWORD CreateDeleteInterface( bool bCreate );

    // Method to bind/unbind to/from packet filter interface.
    DWORD BindUnbindInterface( bool bBind );

    // Method to add/remove filter.
    DWORD AddRemoveFilter( bool bAdd );

public:
    // Constructor.
    PacketFilter();

    // Destructor.
    ~PacketFilter();

    // Method to add IP addresses to m_lstFilters list.
    void AddToBlockList( char* szIpAddrToBlock );

    // Method to start packet filter.
    BOOL StartFirewall();

    // Method to stop packet filter.
    BOOL StopFirewall();
};

Follow these steps to use the PacketFilter class in your application:

  • Instantiate an object of PacketFilter class.
  • Add IP addresses to be blocked using the public method PacketFilter::AddToBlockList.
  • Start the firewall using PacketFilter::StartFirewall public method.
  • Finally, terminate the firewall by calling PacketFilter::Stopfirewall public method.

Points to Note

You need Windows SDK 2008 (available here) to develop applications using Windows Filtering Platform.
Visual C++ 6.0 is incompatible with Windows SDK 2008.

History

  • 31st August, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

MaheshSatya
Software Developer
India India
No Biography provided

You may also be interested in...

Comments and Discussions

 
Questionnotify user that the Ip has been blocked Pin
Member 114603564-Aug-15 20:22
memberMember 114603564-Aug-15 20:22 
GeneralMy vote of 4 Pin
Member 1107308118-Nov-14 1:03
memberMember 1107308118-Nov-14 1:03 
QuestionWili not releasing all IPs. Pin
Mable John27-Mar-13 6:18
memberMable John27-Mar-13 6:18 
GeneralMy vote of 1 Pin
Lavrekho17-Aug-12 3:29
memberLavrekho17-Aug-12 3:29 
QuestionWFP, Wireless Hosted Network and ICS Pin
jcgalveza6-Apr-12 8:44
memberjcgalveza6-Apr-12 8:44 
QuestionAccess Denied error for FwpmFilterAdd0 function Pin
chathura66631-Mar-12 2:44
memberchathura66631-Mar-12 2:44 
QuestionHow to implement firewall for windows XP and newer windows using win32 sdk Pin
amityadav4a3-Mar-12 23:54
memberamityadav4a3-Mar-12 23:54 
Questionneed help Pin
lianayizu016-Feb-12 20:15
memberlianayizu016-Feb-12 20:15 
QuestionIt dosen't work at all??? Why??? Pin
DavidChuBuaa24-Oct-10 5:30
memberDavidChuBuaa24-Oct-10 5:30 
GeneralComplete project. Pin
bx35-Aug-10 19:19
memberbx35-Aug-10 19:19 
GeneralWhitelist Pin
bx33-Aug-10 10:51
memberbx33-Aug-10 10:51 
GeneralDoes not seem to work Pin
krieg383-Mar-10 5:46
memberkrieg383-Mar-10 5:46 
GeneralRe: Does not seem to work Pin
krieg384-Mar-10 2:06
memberkrieg384-Mar-10 2:06 
Questionkernel mode v/s usr mode Pin
hardik_suri25-Feb-10 7:01
memberhardik_suri25-Feb-10 7:01 
AnswerRe: kernel mode v/s usr mode Pin
Member 814623625-Feb-12 22:56
memberMember 814623625-Feb-12 22:56 
GeneralError starting firewall. GetLastError() Pin
sireeshaj3-Dec-09 22:58
membersireeshaj3-Dec-09 22:58 
GeneralRe: Error starting firewall. GetLastError() Pin
Yaniv Mesika25-Dec-09 10:13
memberYaniv Mesika25-Dec-09 10:13 
GeneralRe: Error starting firewall. GetLastError() Pin
icl777-Apr-10 3:20
membericl777-Apr-10 3:20 
GeneralMy vote of 1 Pin
asdasdasdasasd13-Sep-09 14:09
memberasdasdasdasasd13-Sep-09 14:09 
GeneralMy vote of 1 Pin
nnm10-Sep-09 13:43
membernnm10-Sep-09 13:43 
Questionhelp needed Pin
icehottopes6-Aug-09 4:12
membericehottopes6-Aug-09 4:12 
QuestionHow Can i make a managed wrapper to the PacketFilter class to use in C# Pin
g k h srinivas21-Sep-08 21:26
memberg k h srinivas21-Sep-08 21:26 
AnswerRe: How Can i make a managed wrapper to the PacketFilter class to use in C# Pin
MaheshSatya22-Sep-08 2:18
memberMaheshSatya22-Sep-08 2:18 
GeneralRe: How Can i make a managed wrapper to the PacketFilter class to use in C# [modified] Pin
g k h srinivas23-Sep-08 23:48
memberg k h srinivas23-Sep-08 23:48 
GeneralRe: How Can i make a managed wrapper to the PacketFilter class to use in C# Pin
Mohammed Abed31-Mar-09 11:56
memberMohammed Abed31-Mar-09 11:56 
QuestionOpposite? Pin
sidrol18-Sep-08 8:13
membersidrol18-Sep-08 8:13 
AnswerRe: Opposite? Pin
suren_hisxlnc8-Sep-09 21:13
membersuren_hisxlnc8-Sep-09 21:13 
GeneralCompilation errors Pin
Ankush1232-Sep-08 20:02
memberAnkush1232-Sep-08 20:02 
GeneralRe: Compilation errors Pin
MaheshSatya3-Sep-08 8:15
memberMaheshSatya3-Sep-08 8:15 
GeneralNice one Pin
Manish K. Agarwal2-Sep-08 19:00
memberManish K. Agarwal2-Sep-08 19:00 
GeneralRe: Nice one Pin
MaheshSatya3-Sep-08 8:38
memberMaheshSatya3-Sep-08 8:38 
GeneralRe: Nice one Pin
Manish K. Agarwal4-Sep-08 1:00
memberManish K. Agarwal4-Sep-08 1:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.150819.1 | Last Updated 2 Sep 2008
Article Copyright 2008 by MaheshSatya
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid