Hi,
I’m using the WFP sample WFPSampler driver and I configured it to redirect outgoing TCP connections to a local proxy application that listen for the connections.
I’m using the following rule:
WFPSampler.Exe -s PROXY -l FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 -p TCP -aaid != C:\Users\user\Desktop\wfpSampler\proxy_demo.exe -pra 127.0.0.1 -prp 9100 -v
this works perfectly, but only if first I remove all WFP rules using: WFPSampler -clean all
running this command removes all WFP rules, including the firewall rules and I prefer not to do that.
I saw that other people asked this question in the past and there was no answer.
anyone knows what existing rules prevent the redirecting?
or what is the easiest way to understand this?
Thanks,
Sagi
WFP - WFPSampler redirect to local host works only if cleaning all rules using WFPSampler -clean all
Use the command lines mentioned here: https://docs.microsoft.com/en-us/windows/win32/fwp/auditing-and-logging along with wfp show filters to pin down what filters are blocking your connection.
Thanks,
I was able to find that the rules that makes my redirected connection get blocked are rules that are in the connect layer.
but even if there is one rule left in this layer my redirected connection gets blocked.
even if its a rule with action permit.
the existence of any rule in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer cause the connection that I redirected to a local proxy in FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 to get blocked.
anyone have a clue?
Thanks,
Sagi
Have you added a callout @ ALE_AUTH_CONNECT which permits your redirected connection?