0
votes
  • Consider a server socket and a client socket.
  • The server socket endpoint is identified by the pair (IP/ Ws.Xs.Ys.Zs, TCP port/ Ps).
  • When the client socket initiates a connection with the server socket, the client endpoint gets associated with the pair (IP/ Wc.Xc.Yc.Zc, TCP Port/ Pc).
  • The client socket is a "Winsock".
  • On the client machine, outbound traffic for port Ps is NOT blocked.
  • At connection time, Pc is automatically chosen in the pool of ephemeral/dynamic ports of the client machine.
  • The client socket sends a message Mc to the server socket.
  • The server socket responds and sends a message Ms back to the client socket.
  • This message will be addressed to the endpoint identified by (IP/ Wc.Xc.Yc.Zc, TCP Port/ Pc).

Is there a way I can block this message Ms by setting up a firewall rule in the "Inbound" section of the firewall on the client machine?

I have tried to set up such a rule but it seems not to block anything:

In the Windows firewall, in the "Inbound" rules section:
- "New Rule..." -> "Port"
- TCP
- Specific local ports: 49152-65535
  (This is the dynamic ports range on the client machine (given by the command "netsh int ipv4 show dynamicport tcp")).
- Block the connection
- When does this rule apply? I checked: "Domain", "Private" and "Public".

Why is it not working? Why is Ms not rejected by the firewall? Is it because of the socket implementation? Something like: if the client socket could actually send its message to the server socket then the response from the server has to be accepted on (IP/ Wc.Xc.Yc.Zc, TCP Port/ Pc) even if there is a blocking rule in the firewall? Or maybe, the rule I'm setting above is not actually blocking what I think it is blocking...

Thank you for helping. Best regards.

1
Why? If you want to block the connection, block the connection. Allowing the connect and then trying to block messages via that connection doesn't make sense.user207421

1 Answers

1
votes

A firewall blocks connection attempts, not individual packets. An outbound filter prevents an outbound connection to a remote server, an inbound filter prevents an inbound connection to a local server.

Besides that, a "message" may require more than one packet be transmitted, or may be grouped with other "messages" in a single packet.

So no, once a connection has been successfully established, a firewall cannot block specific "messages" being transmitted over that connection. The connection has already been trusted, the firewall does not analyze and filter the connection's content.