Filter Requirements for Firewall Clients

Application filters can work with both Firewall clients and SecureNAT clients. This topic describes specific design considerations for filters that must work with Firewall clients. For information about designing filters to work with SecureNAT clients, see Filter Requirements for SecureNAT Clients.

To handle connect requests for outgoing primary connections from Firewall clients, the filter must register for events originating from Firewall clients. Use the fwxSourceWSP value of the FwxFirewallEventSource enumerated type to register for Firewall client events. A filter designed to handle both Firewall client and SecureNAT client requests should use the macro FWX_ALL_SOURCES to include both values.

To allow a Firewall client to receive a secondary inbound connection, use IFWXSession::RetroactiveAllowBind. Use this method because the client application may have already bound a socket on the Microsoft Firewall service, and the filter should use that socket. IFWXSession::RetroactiveAllowBind enables the previously created bind by associating it with a protocol, and also tests whether the client application bound a Firewall service socket. If the client application did not bind a Firewall service socket, IFWXSession::RetroactiveAllowBind will fail. Therefore, the filter should also call IFWXSession::BindForClient. IFWXSession::BindForClient lets a client application — for which the Firewall client component failed to create a remote socket for a bind call — receive an inbound connection.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.