Using Proxied Connections Tracking
Proxied connections tracking is supported in Windows 8 and later versions of Windows.
This WFP feature facilitates tracking of redirection “records” from the initial redirect of a connection to the final connection to the destination. WFP also allows a callout driver to redirect connections.
Proxied Connections Tracking
With the presence of multiple proxies (for example, developed by different ISVs) the connection used by one party to communicate with the final destination could in turn be redirected by a 2nd party; and that new connection could again be redirected by the original party. Without connection tracking, the original connection might never reach its final destination as it gets stuck in the infinite proxy loop.
Additions to the Data Field Identifiers to support connection tracking include:
FWPS_FIELD_Xxx_ALE_ORIGINAL_APP_ID
The full path of the original application for proxy connections. If the application has not been proxied, this path is identical to the xxx_ALE_APP_ID.
FWPS_FIELD_Xxx_PACKAGE_ID
The package identifier is a security identifier (SID) that identifies the associated AppContainer process.
Redirecting Connections
A callout driver calls the FwpsRedirectHandleCreate0 function to create a handle that can be used to redirect TCP connections.
This section includes the following topics:
Using a Redirection Handle
Querying the Redirect State
Using a Redirection Handle
Before an ALE connect redirection callout can redirect connections to a local process, it must obtain a redirect handle with the FwpsRedirectHandleCreate0 function and put the handle in the FWPS_CONNECT_REQUEST0 structure. The callout modifies the structure in the classifyFn for the ALE connect redirect layers.
The FWPS_CONNECT_REQUEST0 structure contains the following members for redirection:
Term | Description |
---|---|
localRedirectHandle |
The redirect handle that the callout driver created by calling the FwpsRedirectHandleCreate0 function. |
localRedirectContext |
A callout driver context area that the callout driver allocated by calling the ExAllocatePoolWithTag function. |
localRedirectContextSize |
The size, in bytes, of the callout supplied context area. |
After a callout driver has finished using a redirect handle, it must call the FwpsRedirectHandleDestroy0 function to destroy the handle.
Querying the Redirect State
A callout driver calls the FwpsQueryConnectionRedirectState0 function to get the redirect state of a connection. The FWPS_CONNECTION_REDIRECT_STATE enumeration is the return type for a call to the FwpsQueryConnectionRedirectState0 function.
If the redirect status is FWPS_CONNECTION_NOT_REDIRECTED, the ALE_CONNECT_REDIRECT callout can proceed to proxy the connection.
If the redirect status is FWPS_CONNECTION_REDIRECTED_BY_SELF, the ALE_CONNECT_REDIRECT callout should return FWP_ACTION_PERMIT/FWP_ACTION_CONTINUE.
If the redirect status is FWPS_CONNECTION_REDIRECTED_BY_OTHER, the ALE_CONNECT_REDIRECT callout could proceed to proxy the connection if it does not trust the other inspector’s result.
If the redirect status is FWPS_CONNECTION_PREVIOUSLY_REDIRECTED_BY_SELF, the ALE_CONNECT_REDIRECT callout must not perform redirection even if other inspectors’ results are not acceptable. In this case, it must either permit or block the connection (at the ALE_AUTH_CONNECT layer).