search

falahati / WindowsFirewallHelper

A class library to manage the Windows Firewall as well as adding your program to the Windows Firewall Exception list.
MIT License
276 stars 72 forks source link

Question about notification feature #32

Open harrwiss opened 5 years ago

harrwiss commented 5 years ago

Hi falahati, your class library appears to be quite sophisticated for managing the windows firewall rules - nice work!

However one feature which seems to be missing (or would be nice to have) in the library is a way to get notified when packages are dropped (or connection blocked) together with the information about which rule blocked a connection. Essentially what is shown in EventViewer > security > event 5157.

This would be very useful for troubleshooting and when implementing a firewall UI.

Is this something you would consider or is it maybe available but I haven't seen it?

Thx. harry

falahati commented 5 years ago

Up until this point; this library was only a wrapper around the Windows Firewall COM. However, your suggestion fits nicely with this library.

Meanwhile, I can use any information I can get about this. Do you know if there is a similar event for Windows XP? And if so, what is the event id? Is there a specific difference between the way that this event is generated and it's content under Windows XP, Vista, 7, 8 and 10? In other words I need any piece of information that might end up being helpful.

Events 2002, 2004, 2006, 2010 also seems promising.

harrwiss commented 5 years ago

Is there a specific difference between the way that this event is generated and it's content under Windows XP, Vista, 7, 8 and 10?

These events are controlled by "auditpol.exe" afaik. Think this link explains it quite well and is a good starting point for you: https://superuser.com/a/1141671

similar event for Windows XP?

Don't know myself - auditpol Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731451(v=ws.11)

Description about the filter events connection/drop:

harrwiss commented 5 years ago

Doing some more research on this matter I think utilizing the Windows Filtering Platform (WFP) would be much more promising instead of relying on auditpol.

Example: To find a blocking rule you can use the following netsh commands:

In addition there are many more useful functions which are useful to monitor the operation of the filtering platform on windows.

Best of all, a C API is available with all the functionality - but so far I haven't found a C# managed code API.

WFP API documentation:

What do you think - would you be able to create a WFPHelper from that?

falahati commented 5 years ago

WFP has some messy API. And I thought NVAPI was overly convoluted. Structures having up to 3 different definitions and memory management is done on the library level is time-consuming to successfully port to C#. But it is possible. I mean, as you can see I like to create wrapper and helper for native parts of the Windows or other software. xD

Thanks for providing detailed information. I take a look into it to see if it is possible to plan a clear path to an MVP since the whole library seems big enough to not be able to release a wrapper in one go due to the time it will consume.

harrwiss commented 5 years ago

Great! Thanks for looking into that - if it would be easy, somebody would have done it already ;)

Here is some additional information which may be useful: