CLOSE
Updated on 31 Jul, 202511 mins read 10 views

WFP Layers: Where to Hook In

WFP is layered to reflect the OSI model:

LayerDescriptionCommon Use Case
Application LayerApp-specific, DNS, HTTP, SMBFiltering browser requests
Transport LayerTCP/UDP connections and data streamsBlocking outbound port 443
Network LayerIP packetsIP blacklisting, routing
Link/NDIS LayerRaw packets, before TCP/IPCustom VPNs, lowest-level filtering

WFP exposes dozens of filtering points called filtering layers – each associated with a part of the network stack.

Some key ones:

Layer NameTrigger Event
FWPM_LAYER_ALE_AUTH_CONNECT_V4App attempts outbound connection
FWPM_LAYER_STREAM_V4TCP stream data becomes available
FWPM_LAYER_DATAGRAM_DATA_V4UDP data
FWPM_LAYER_INBOUND_TRANSPORT_V4Incoming TCP/UDP before app sees it
FWPM_LAYER_OUTBOUND_TRANSPORT_V4Outbound traffic before it hits the wire

Each filter you install must bind to a specific layer. Choosing the wrong one = no filtering or delayed detection.

Filters, Callouts, and Actions

Filters

A filter in WFP is like a rule:

"If traffic matches these conditions, then apply this action."

Each filter:

  • Has a layer (e.g., FWPM_LAYER_ALE_AUTH_CONNECT_V4)
  • Lives inside a sublayer
  • Can match on:
    • Protocol (TCP/UDP)
    • IP addresses
    • Ports
    • Application (path or SID)
    • Packet size, direction, etc.

Example (in plain English):

Block all outbound TCP connections on port 25 unless from smtp.exe.

Actions

Actions determine what happens when a filter is matched:

Action TypeWhat It Does
FWP_ACTION_BLOCKDrops the packet or connection
FWP_ACTION_PERMITAllows it through
FWP_ACTION_CALLOUT_TERMINATINGInvokes your custom logic (callout)

You use callouts when you want to inspect, modify, log, or analyze data in detail.

Callouts

A callout is a kernel-mode function (registered with FwpsCalloutRegister) that gives you direct access to the packet or stream data.

Use a callout if:

  • You need to scan content (DLP)
  • You want to redirect traffic (VPN/tunneling)
  • You want full control over permit/block decision

Filters can exists without callouts, but callouts cannot exist without filters.

Sublayers and Prioritization

Filters are grouped into sublayers, which:

  • Organize filters by purpose or ownership
  • Assign priority (lower number = higher priority)
  • Enable/disable groups of filters together

You should:

  • Create a sublayer for your product (e.g., "MyDLP_Sublayer")
  • Use priorities to ensure your filters run before/after Windows Firewall or other apps

Example:

FWPM_SUBLAYER mySublayer = {0};
mySublayer.subLayerKey = MY_SUBLAYER_GUID;
mySublayer.displayData.name = L"My DLP Sublayer";
mySublayer.flags = 0;
mySublayer.weight = FWP_EMPTY; // dynamic priority

FwpmSubLayerAdd(engineHandle, &mySublayer, NULL);

Traffic Flow Through WFP

Let's say an app tries to open a TCP connection:

1. App calls connect() → triggers FWPM_LAYER_ALE_AUTH_CONNECT_V4
2. Filter checks if destination IP/port is allowed
3. If permitted, TCP handshake begins
4. Data is sent → triggers FWPM_LAYER_STREAM_V4
5. Your callout inspects content of stream
6. WFP returns permit/block result

This layered processing allows:

  • Early rejection (e.g., block before handshake)
  • Deep content scanning (e.g., DLP/antivirus)
  • Real-time analytics (e.g., IDS/monitoring)

Choosing the Right Layer

GoalRecommended Layer
Block outbound connectionsALE_AUTH_CONNECT_V4
Scan HTTP/SMTP contentSTREAM_V4 or DATAGRAM_DATA_V4
Monitor all raw IP trafficINBOUND_TRANSPORT_V4
Build a transparent proxySTREAM_V4 + injection

Choosing the wrong layer is the most common WFP mistake.

 

Leave a comment

Your email address will not be published. Required fields are marked *