What Is Windows Filtering Platform?
Windows Filtering Platform (WFP) is a set of APIs and system services provided by Microsoft that allows kernel and user mode software to intercept, filter, or modify network traffic.
WFP is used by:
- Windows Defender Firewall
- VPN software
- Antivirus/EDR tools
- DLP (Data Loss Prevention) systems
- 3rd-party firewalls and network monitors
It was introduced in Windows Vista / Server 2008, and is now a critical part of Windows security and networking.
WFP Architecture: Where It Hooks
WFP operates across the entire Windows networking stack, form the lowest hardware levels (NDIS drivers) to high-level HTTP traffic.
Here's a simplified diagram:
Application Layer (HTTP, DNS, SMB, etc.)
↓
Transport Layer (TCP, UDP, etc.)
↓
Network Layer (IPv4/IPv6)
↓
Link Layer (NDIS, network drivers)
You can insert filters at any of these layers. That's what makes WFP so powerful – you choose where and how deeply you want to inspect or block traffic.
For example:
- Want to block HTTP POSTs? Filter at stream layer.
- Want to scan DNS? Filter at datagram layer.
- Want to reroute packets? Filter at network layer.
WFP Filtering Flow
WFP filtering is done through:
- Filters: Rules that define what traffic to act on
- Callouts: Optional handlers (usually in kernel) that inspect, modify, or log traffic
- Sublayers: Logical groups of filters with priorities
- BFE (Base Filtering Engine): Core service that coordinates filters
Each packet that travels through the system passes through multiple layers. Your filter gets a chance to:
- Allow (
FWP_ACTION_PERMIT) - Block (
FWP_ACTION_BLOCK) - Inspect further via callout
Leave a comment
Your email address will not be published. Required fields are marked *