Restricting Outbound Traffic to Selected TCP Ports (Windows Embedded CE 6.0)
1/6/2010
The following table shows an example of how to create rules that permit outbound traffic only on ports 25 and 110. In this case, the rules permit Host2 to only send and receive e-mail. No other outbound traffic is allowed from Host2. In the following example, the IP address of Host2 is 192.168.0.101.
| dwFlags | PrivateHost | Protocol | Port |
|---|---|---|---|
FWF_ALLOW | FWF_OUTBOUND |
Host2 address |
IP_PROTOCOL_TCP |
25 |
FWF_ALLOW | FWF_OUTBOUND |
Host2 address |
IP_PROTOCOL_TCP |
110 |
FWF_BLOCK | FWF_OUTBOUND |
Host2 address |
|
|
Registry entries for the rules
The following registry example shows the registry entries for this rule.
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowTCPOutboundPort25]
"Mask"=dword:25 ; FWM_PRIVATE_HOST | FWM_PROTOCOL | FWM_PORT
"Flags"=dword:12 ; FWF_ALLOW | FWF_OUTBOUND
"PrivateHost"=hex:02,00,00,00,C0,A8,00,65 ; 192.168.0.101
"Protocol"=dword:6 ; IP_PROTOCOL_TCP
"Port"=dword:19 ; 25
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowTCPOutboundPort110]
"Mask"=dword:25 ; FWM_PRIVATE_HOST | FWM_PROTOCOL | FWM_PORT
"Flags"=dword:12 ; FWF_ALLOW | FWF_OUTBOUND
"PrivateHost"=hex:02,00,00,00,C0,A8,00,65 ; 192.168.0.101
"Protocol"=dword:6 ; IP_PROTOCOL_TCP
"Port"=dword:6E ; 110
[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\BlockOutboundFromHost2]
"Mask"=dword:1 ; FWM_PRIVATE_HOST
"Flags"=dword:11 ; FWF_BLOCK | FWF_OUTBOUND
"PrivateHost"=hex:02,00,00,00,C0,A8,00,65 ; 192.168.0.101
Code example to create the rules
The following code example shows this rule.
FW_RULE AllowTCPOutboundPort25;
SOCKADDR_STORAGE ssSaddr;
int saddrsize=sizeof(ssSaddr);
// The following fields must always be set.
AllowTCPOutboundPort25.dwSize = sizeof(FW_RULE);
AllowTCPOutboundPort25.dwFlags = FWF_ALLOW | FWF_OUTBOUND;
AllowTCPOutboundPort25.dwMask = 0 // initialize mask to zero;
AllowTCPOutboundPort25.PrivateHost.Family = AF_INET;
AllowTCPOutboundPort25.wszDescription = L"Allow outbound TCP traffic on port 25";
// Client IP.
AllowTCPOutboundPort25.dwMask |= FWM_PRIVATE_HOST;
WSAStringToAddress(_T("192.168.0.101"), AF_INET, NULL, (PSOCKADDR)&ssSaddr, &saddrsize);
AllowTCPOutboundPort25.PrivateHost.AddressIPv4 = ((PSOCKADDR_IN)&ssSaddr)->sin_addr;
// Protocol.
AllowTCPOutboundPort25.dwMask |= FWM_PROTOCOL;
AllowTCPOutboundPort25.Protocol = IP_PROTOCOL_TCP; // 6
// Port.
AllowTCPOutboundPort25.dwMask |= FWM_PORT;
AllowTCPOutboundPort25.PortMin = 25;
AllowTCPOutboundPort25.PortMax = 25;
// Create a persistent rule.
FirewallCreateRule(&AllowTCPOutboundPort25, TRUE);
FW_RULE AllowTCPOutboundPort110;
// The following fields must always be set.
AllowTCPOutboundPort110.dwSize = sizeof(FW_RULE);
AllowTCPOutboundPort110.dwFlags = FWF_ALLOW | FWF_OUTBOUND;
AllowTCPOutboundPort110.dwMask = 0 // initialize mask to zero;
AllowTCPOutboundPort110.PrivateHost.Family = AF_INET;
AllowTCPOutboundPort110.wszDescription = L"Allow outbound TCP traffic on port 110.";
// Client IP.
AllowTCPOutboundPort110.dwMask |= FWM_PRIVATE_HOST;
AllowTCPOutboundPort110.PrivateHost.AddressIPv4 = ((PSOCKADDR_IN)&ssSaddr)->sin_addr; // 192.168.0.101
// Protocol.
AllowTCPOutboundPort110.dwMask |= FWM_PROTOCOL;
AllowTCPOutboundPort110.Protocol = IP_PROTOCOL_TCP; // 6
// Port.
AllowTCPOutboundPort110.dwMask |= FWM_PORT;
AllowTCPOutboundPort110.PortMin = 110;
AllowTCPOutboundPort110.PortMax = 110;
// Create a persistent rule.
FirewallCreateRule(&AllowTCPOutboundPort110, TRUE);
FW_RULE BlockOutboundFromHost2;
// The following fields must always be set.
BlockOutboundFromHost2.dwSize = sizeof(FW_RULE);
BlockOutboundFromHost2.dwFlags = FWF_BLOCK | FWF_OUTBOUND;
BlockOutboundFromHost2.dwMask = FWM_PRIVATE_HOST;
BlockOutboundFromHost2.PrivateHost.Family = AF_INET;
BlockOutboundFromHost2.wszDescription = L"Block Outbound Traffic From Host2";
// Client IP.
BlockOutboundFromHost2.PrivateHost.AddressIPv4= ((PSOCKADDR_IN)&ssSaddr)->sin_addr; //192.168.0.101
// Create a persistent rule.
FirewallCreateRule(&BlockOutboundFromHost2, TRUE);