Forum Replies Created
-
Posts
-
How can I create the new Ethernet packet?
Allocate buffer to store the packet, initialize Ethernet and IP (ICMP, UDP, TCP headers), copy packet data.
On the other hand, would it be possible to send this ethernet packet to a certain port inside the same machine with this application?
Yes, this is possible.
Hmm, since you are going to create CoClient protocol driver and call manager I assume you have CoNDIS WAN driver for your device. If yes then probably you already have a separate call manager or this CoNDIS WAN driver is an MCM driver. Please clarify.
Of course IP checksum should be recalculated if IP header was altered. PPTP GRE header never has the checksum field (Checksum Present flag is always set to 0 for PPTP).
IP type 47 corresponds PPTP GRE protocol. You can read a nice overview of PPTP protocol issues here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0103.mspx
Below is the most importand NAT relative quote from the link above:
PPTP uses the Sequence Number and Acknowledgement Number fields to detect dropped data packets.
The use of a separate mechanism for PPTP data encapsulation has an interesting side effect for network address translators (NATs). For more information about NATs, see Windows 2000 Network Address Translator (NAT) (the March 2001 Cable Guy article). Most NATs can translate TCP-based traffic for PPTP tunnel maintenance. However, PPTP data packets with the GRE header are not typically translated without using either a static address mapping or a PPTP NAT editor.
When a PPTP server is behind a NAT, the NAT must be manually configured with a static address mapping that maps all the traffic for a specific public address to a specific private address. In this case, only the addresses in the IP header are modified.
When a PPTP client is behind a NAT, a PPTP NAT editor is typically used. A NAT editor is an additional software component on the NAT that performs translation services beyond IP addresses, TCP ports, and UDP ports. Although it is a simple matter for the PPTP NAT editor to monitor incoming packets for GRE payloads and translate the IP addresses in the IP header, there might be multiple PPTP clients behind the NAT. In this case, the NAT is unable to determine to which private client the incoming PPTP data packet is destined, because the same public address is being used for multiple private clients. To determine the private client to which an incoming packet is destined, the PPTP NAT editor uses the Call ID field in the GRE header. However, when two different PPTP clients use the same Call ID, the NAT is unable to determine to which private client the packet is destined.
To provide correct multiplexing of GRE-encapsulated traffic to different private clients, the PTPP NAT editor monitors the PPTP control connection setup and translates both the PPTP client’s Call ID field in the PPTP messages and the GRE-encapsulated data packets in the same way that it translates TCP or UDP source ports. By translating the PPTP client Call ID field, the NAT ensures that a unique Call ID is used for each PPTP tunnel, and for each PPTP client.
1. Do you have any news on this since I very interested by this and this is the only part that is currently missing in my evaluation of your product (I’m particularly interessted by the NAT feature in priority, traffic shaper is a high priority too but less than NAT).
NAT is already implemented in “under development” version of NeT Firewall. Regretfully I can’t point yet the exact release date, all newly addde features should be well tested before it,
2. Do you plan to support Vista too (32 bits), do you have an idea of date (note really for me urgent, but I need to know for future).
Yes, Windows Vista is planned to be supported.
3. Do you have any API that enable me to communication with the Firewall (like the winPkFilter?
In the meantime NeT Firewall interface is not published. However, could you specify for what particular tasks you’d like to use it?
For your information image in the online help are not displayed the link is bad.
Could you point the exact URL for the broken link?
“fatal error LNK1104: cannot open file D:Program.obj”
Try to move project to the path without complex names (with spaces inside) like “D:Program Files…”.
Do you run WinpkFilter inside Virtual PC (guest) system? It should work fine in this environment unless you also have installed some software which conflicts with WinpkFilter drivers.
What ListAdapters does show you? Also could you specify host and guest operating systems along with version of Virtual PC?
The event you set into driver with SetWANEvent is signaled when the new dial-up (VPN, PPPoE and etc…) connection is established or dropped, so you could reinitialize your configuration information. It is rather similar to SetAdapterListChangeEvent than SetPacketEvent which is signaled when new packet is queued.
I would trace through the IRP processing to figure out the exact reason to fail the IRP. May be there is a workaround for this.
Is device created with NdisMRegisterDevice? Well, it is difficult to say who exactly fails your IRP (NDIS, IM driver itself or filter driver attached to the IM created device), but you can check it yourself in kernel mode debugger. Probably one of these components checks the IRP origination (user or kernel) and if kernel mode component issues IRP_MJ_DEVICE_CONTROL then it fails. Basically as DDK documentation says kernel mode component usually issues IRP_MJ_INTERNAL_DEVICE_CONTROL:
IRP_MJ_DEVICE_CONTROL
A driver receives this I/O control code because user-mode thread has called the Microsoft® Win32® DeviceIoControl function, or a higher-level kernel-mode driver has set up the request.
IRP_MJ_INTERNAL_DEVICE_CONTROL
This I/O control code has been defined for communication between paired and layered kernel-mode drivers, such as one or more class drivers layered over a port driver. The higher-level driver sets up IRPs with device- or driver-specific I/O control codes, requesting support from the next-lower driver.I suppose it is far easier to change NDIS IM driver to process IRP_MJ_INTERNAL_DEVICE_CONTROL along with IRP_MJ_DEVICE_CONTROL.
case IRP_MJ_DEVICE_CONTROL:
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
{… PUT YOUR I/O PROCESSING CODE HERE…}The configuration seems ok and I hope it fits your requirements. However, I would make rules stricter. An example, your rule for HTTP is very common. Basically it passes any TCP packet which has source or destination port equal to 80. If this rule is intended to allow you internet browsing I would make it to apply to OUTGOING packets (instead both directions) or/and specified local IP in the source address field (if it is fixed, if not then your ISP subnet). If you want to create the rule for WWW server at your side then you could set it to INCOMING and specify your server IP in the destination field (along with port 80).
ndisapi.dll is a Win32 DLL and you can call it from C#. Please check the links below about calling Win32 DLL from C#
http://www.codeproject.com/Purgatory/C_DLL_with_Csharp.asp
http://msdn.microsoft.com/msdnmag/issues/02/08/CQA/
http://msdn.microsoft.com/msdnmag/issues/03/07/NET/My question, is that possible to intall remotely Net-Firewall to our dedicated server over VNC?
Yes, you can install NeT Firewall rmotely using Remote Desktop or VNC.
Is your program will blocked my VNC traffic after restart the machine?
After installation NeT Firewall start in PASS ALL default mode and it won’t block VNC. You have to configure NeT Firewall after this and be carefull with setting rules and modes because one of the rules or modes may block VNC. I would recommend to create ALLOW rule for VNC traffic before creating any other rules.
It should be enough to create the single rule with NeT Firewall to block the specific IP address (create the DENY rule which specifies the source IP and leave all other fields unchanged).
If you still have problem with it then could you please send some screenshots (firewall rules, log) to support(at)ntkernel.com?
