IP Firewall Logging Reference (Windows Embedded CE 6.0)

  • Article

1/6/2010

IP Firewall logging is achieved by calling exported functions in external DLLs that are provided. To avoid calling an external DLL from the critical path, the firewall stores information about packets in a circular buffer, and then calls the DLLs from a secondary normal priority thread.

Packets that are sent at a faster rate than the firewall can process do not appear in the log. If the entire buffer is consumed because log entries are generated faster than they are consumed, new entries override older ones, and the older entries are lost. You can configure the size of the buffer through the registry. For more information about the registry or priorities, see IP Firewall Logging Registry Settings.

By default, the firewall does not log any packets. To enable logging, you must create a firewall rule that specifies which packets should be logged. Logging rules can be based on the same criteria as are used for the rules used to block or allow packets. Additionally, logging rules can be based on the action taken by the firewall for the packet, for example, to log only packets that are blocked by the firewall.

The following example specifies that all dropped inbound IPv4 and IPv6 packets should be logged:

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\LogInboundIPv6]
"Mask"=dword:0          ; 
"Flags"=dword:0C        ; FWF_LOG | FWF_INBOUND
"PrivateHost"=hex:17,00 ; AF_INET6

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\LogInboundIPv4]
"Mask"=dword:0          ; 
"Flags"=dword:0C        ; FWF_LOG | FWF_INBOUND
"PrivateHost"=hex:02,00 ; AF_INET

Logging applies only to packets that pass through the firewall. Packets that do not cross a firewall boundary, such as packets between two private hosts on the network, are not logged.

The following table shows the functions that the logging DLL should export.

Programming element Description

FirewallLogInit

Called when the firewall initializes and loads the logging DLL. The logging DLL exports this function, although it is optional.

FirewallLogPacket

Called for every packet that is logged. The logging DLL must export this function.

FirewallLogUninit

Can be called when the firewall is shutting down. The logging DLL exports this function, although it is optional.

If more than one logging DLL is registered with the firewall, then the logging functions of those DLLs are called sequentially.

A code sample of the IP firewall log is located in the %_WINCEROOT%\Public\Common\Sdk\Samples\Firewall directory.

See Also

Reference

IP Firewall Reference

Concepts

IP Firewall OS Design Development
IP Firewall Logging Registry Settings

Other Resources

Firewall