Windows Vista introduced the WFp, which performs filtering for Windows Firewall with advanced Security. Firewall rules and settings are implemented via three types of WFp filters:
■ Boot-time filters These filters are in effect from the time the TCp/Ip stack starts until the BFE service starts. Once the BFE starts, these filters are removed.
■ Persistent filters These filters are stored persistently in the BFE service (in the registry) and applied while the BFE is running.
■ Dynamic filters These filters are not persistent and are associated with an active ApI session. Once the session ends, these filters are automatically removed.
This is what happens during startup:
1. The computer starts. There's no networking yet.
2. The TCp/Ip stack starts and starts the WFp driver (Netio.sys).
3. Networking starts and the WFp boot-time filters are in effect.
4. The BFE service starts. persistent filters replace the boot-time filters.
5. The Firewall Service starts, adding the current policy rules and settings (as filters) based on the current profile.
The boot-time filters (step 3) and the persistent filters (step 4) are identical and contain the following:
■ Block Ah Unsolicited Inbound Traffic
■ AIIow Inbound Loopback Traffic
■ AIIow Inbound ICMpv6 Neighbor Discovery (also known as Neighbor Solicitation), which is used for mapping Ipv6 addresses to the media access control (MAC) address (equivalent of Address Resolution protocol [ARp] in Ipv4)
These filters are present at all times and are low priority. Higher-priority filters mask out these filters when Windows Firewall policy is in effect (step 5). When Windows Firewall is disabled, the WFp boot-time and persistent filters are removed. If Windows Firewall is enabled but the Windows Firewall service is stopped or killed, the dynamic filters are automatically removed and you end up with the persistent filters, which in effect block all inbound traffic.
Was this article helpful?