通过WFP过滤主机名请求 [英] Filter hostname requests via WFP
问题描述
您好,我是b $ b $
我尝试设置过滤器以通过WFP阻止主机名。我搜索了互联网和这个论坛,只发现了一些罕见的信息。在这个论坛中,答案总是不可能,但答案很老,所以今天可能有一个
的解决方案。
我尝试通过WFP过滤以通过主机名阻止请求,例如" www.google.com" ;.有可能FWPM_LAYER_NAME_RESOLUTION_CACHE_V4
$
和4条件:
FWPM_CONDITION_ALE_USER_ID,FWPM_CONDITION_ALE_APP_ID,FWPM_CONDITION_IP_REMOTE_ADDRESS,最后重要的是:FWPM_CONDITION_PEER_NAME。使用最后一个参数,我试图阻止www.google.com。也许这个建议我错了...
我还通过"netsh wfp show state"创建了一个xml文件。我收到以下内容(只有有趣的部分,里面有更多的过滤器):
Hi there,
i try to set up a filter to block a hostname via WFP. I searched the internet and this forum for it and found only some rare information. In this forum the answer is always that this is not possible, but the answers are quite old, so maybe there is today a
solution available.
I try to filter via WFP to block requests via hostname e.g. "www.google.com". There is maybe a possibility with FWPM_LAYER_NAME_RESOLUTION_CACHE_V4
and 4 Conditions:
FWPM_CONDITION_ALE_USER_ID, FWPM_CONDITION_ALE_APP_ID, FWPM_CONDITION_IP_REMOTE_ADDRESS and finally the important: FWPM_CONDITION_PEER_NAME. With the last parameter i tried to block www.google.com. Maybe i'm quite wrong with this suggestion ...
I also created a xml file via "netsh wfp show state" and i received the following (only the interesting part, and there are more filters inside):
<item>
<filterKey>{24c21d1a-628e-43c5-8fd7-a59ad33f137f}</filterKey>
<displayData>
<name>Name Resolution Cache filter</name>
<description>Cached name resolution event</description>
</displayData>
<flags/>
<providerKey/>
<providerData/>
<layerKey>FWPM_LAYER_NAME_RESOLUTION_CACHE_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_UNIVERSAL</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="4">
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-5-21-1024011789-1237596223-2747892489-15974</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>23.35.105.121</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_BYTE_BLOB_TYPE</type>
<byteBlob>
<data>75006e007300700065006300690066006900650064000000</data>
<asString>unspecified</asString>
</byteBlob>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_PEER_NAME</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_BYTE_BLOB_TYPE</type>
<byteBlob>
<data>67006f002e006d006900630072006f0073006f00660074002e0063006f006d000000</data>
<asString>g.o...m.i.c.r.o.s.o.f.t...c.o.m...</asString>
</byteBlob>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>66773</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>1152921504606846975</uint64>
</effectiveWeight>
</item>
有了所有这些信息,我试图创建一个小样本项目,但我不能让这个过滤器和条件工作。我总是收到索引退出,错误的过滤器或匹配类型等错误。
所以我的问题是:
这真的不可能即使在今天(我也不相信这是不可能的;))?)b
有人让这个过滤器工作,或者有一个示例代码,这个过滤器和条件是否正确设置(在Microsoft示例项目中没有包含样本)?
是否有其他方法可以阻止主机名(通过IP地址阻止不是一种选择)?
感谢您的帮助!
With all that information, i tried to create a small sample project, but i cant get this Filter and Conditions to work. I receive always errors like index out of bounce, wrong filter or match type.
So my questions are:
Is this really not possible even today (And i could not believe that it is not possible ;))?
Did someone got this filter to work or is there a sample code where this filter and conditions are properly set (In the Microsoft sample project is no sample included)?
Are there other ways to block hostnames (blocking via IP address is not an option)?
Thanks for help!
推荐答案
我不确定你提到的方法,因为我没看过
FWPM_LAYER_NAME_RESOLUTION_CACHE_V4 的文档。
但是,据我所知,你所要求的是 FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6
图层。
However, to my knowledge what you've asked for is achievable at the FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6
layers.
您还可以使用 FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 / WPM_LAYER_ALE_CONNECT_REDIRECT_V6 将基础tcp连接重定向到用户模式服务。从那里你可以检查主机名:属性的http标头。
You could also use FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 / WPM_LAYER_ALE_CONNECT_REDIRECT_V6 to redirect the underlying tcp connection into a user mode service. From there you can inspect the http headers for the hostname: attribute.
希望这有帮助
这篇关于通过WFP过滤主机名请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
