Export (0) Print
Expand All

12.2 Firewall Services Functionality

Windows Firewall relies on several networking components, including the Windows Firewall/Internet Connection Sharing service (also known as the SharedAccess service), the network address translation (NAT) driver (Ipnat.sys), the IPv4-based TCP/IP driver (Tcpip.sys) and the IPv6-based TCP/IP driver (Tcpipv6.sys), and the Windows Sockets (Winsock) driver (Winsock.dll). Windows Firewall also relies on several administrative tools that allow you to configure Windows Firewall settings. The following figure shows the relationship among these components.

e7258aea-3381-4d2f-bfec-57e2b21cd620

Figure 77: Firewall services functionality overview

  • Administrative tools - There are several administrative tools that interact with the Windows Firewall/Internet Connection Sharing service and allow you to configure Windows Firewall settings. These tools include Windows Firewall in Control Panel (Firewall.cpl), the netsh firewall command, and Group Policy with the Group Policy Object Editor.

  • The NAT driver (Ipnat.sys) provides a data store for Windows Firewall. Windows Firewall uses the data store, known as the NAT Mapping Table, to store connection state information for dynamically created exceptions. The connection state information typically consists of a 5-tuple entry, which includes the protocol, the source and destination port numbers, and the source and destination IP addresses. Without a data store, Windows Firewall would not be a stateful firewall. Note that although Windows Firewall uses the NAT driver, it does not provide any network address translation.

  • The TCP/IP driver (Tcpip.sys) controls the flow of information between a network adapter and a program or system service. As incoming traffic flows through the TCP/IP driver, the traffic is inspected by the NAT driver. The NAT driver processes the traffic based on the entries in the Windows Firewall exceptions list. If the traffic matches an exception, the NAT driver determines that the traffic is allowed; the packets continue through the TCP/IP driver. If the traffic does not match an exception, the NAT driver determines that the traffic is unsolicited; the packets are dropped and do not continue through the TCP/IP stack. Neither the NAT driver nor the TCP/IP driver sends a notification to the sender when packets are dropped (this is sometimes referred to as a silent discard).

  • The Winsock driver is responsible for assigning and binding ports to a program or system service. Programs and system services use this driver when they need to listen for incoming traffic.

  • The Windows Firewall/Internet Connection Sharing service runs in Svchost.exe. The Windows Firewall/Internet Connection Sharing service is responsible for processing the Windows Firewall exceptions that you configure for network traffic. The Windows Firewall/Internet Connection Sharing service then relays the exceptions to the NAT driver, which inspects the traffic that is flowing through the TCP/IP driver.

 
Show:
© 2014 Microsoft