“The firewall engine (fweng.sys) and firewall service (wspsrv.exe) share an implementation of the rules engine (the component that decides if the current policy allows the traffic or not). When matching traffic to policy rules, some aspects cannot be matched by the firewall engine because performing blocked operations is not allowed in the kernel-mode context of the firewall engine. Specifically, matching user identity (authentication) and performing reverse name lookups (name resolution) are both blocking operations (APIs which involve I/O) and therefore can’t be done by the firewall engine.
The operating system network stack does not allow the driver to “delay” a packet at this stage (kernel). What the driver actually does is copy the packet to its own memory, tell the OS network stack to drop the packet, and then ask the firewall service to determine what to do next with the packet. If the firewall service decides to let this traffic through, it creates all of the necessary objects, and then tells the firewall engine to inject this packet into the OS network stack (at the firewall hook), as if it has just arrived from the lower network layers. This mechanism is called the re-inject mechanism and here are some core definitions about this mechanism:
- Re-injection is done only once for a session, when getting the TCP SYN, or first UDP (or ICMP) packet in a given session. For UDP and ICMP, a session means one minute of activity after the first packet.
- Re-injection is also done if the protocol has an application filter, regardless of whether name resolution or authentications are needed.
As can be seen from this description, connection elements are created because there is an allowing policy rule (checked by either the driver or the service), or when there is a creation element. The former represents static rules configured by the administrator. The latter is a dynamic mechanism through which firewall service components can allow traffic that they anticipate. For example, the firewall service instructs the driver to create one creation element per published server. When a client attempts to connect to the published server, the creation element allows the creation of a new connection element for this connection…”
Head on over to http://technet.microsoft.com/en-us/library/ff432667.aspx for the rest of the story!
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)