CLOSE
Updated on 31 Jul, 20255 mins read 9 views

What Is Windows Filtering Platform?

Windows Filtering Platform (WFP) is a set of APIs and system services provided by Microsoft that allows kernel and user mode software to intercept, filter, or modify network traffic.

WFP is used by:

  • Windows Defender Firewall
  • VPN software
  • Antivirus/EDR tools
  • DLP (Data Loss Prevention) systems
  • 3rd-party firewalls and network monitors

It was introduced in Windows Vista / Server 2008, and is now a critical part of Windows security and networking.

WFP Architecture: Where It Hooks

WFP operates across the entire Windows networking stack, form the lowest hardware levels (NDIS drivers) to high-level HTTP traffic.

Here's a simplified diagram:

Application Layer (HTTP, DNS, SMB, etc.)
        ↓
Transport Layer (TCP, UDP, etc.)
        ↓
Network Layer (IPv4/IPv6)
        ↓
Link Layer (NDIS, network drivers)

You can insert filters at any of these layers. That's what makes WFP so powerful – you choose where and how deeply you want to inspect or block traffic.

For example:

  • Want to block HTTP POSTs? Filter at stream layer.
  • Want to scan DNS? Filter at datagram layer.
  • Want to reroute packets? Filter at network layer.

WFP Filtering Flow

WFP filtering is done through:

  • Filters: Rules that define what traffic to act on
  • Callouts: Optional handlers (usually in kernel) that inspect, modify, or log traffic
  • Sublayers: Logical groups of filters with priorities
  • BFE (Base Filtering Engine): Core service that coordinates filters

Each packet that travels through the system passes through multiple layers. Your filter gets a chance to:

  • Allow (FWP_ACTION_PERMIT)
  • Block (FWP_ACTION_BLOCK)
  • Inspect further via callout

 

Leave a comment

Your email address will not be published. Required fields are marked *