Welcome! Log In Create A New Profile

Advanced

A bit of theory - technical question

Posted by Anonymous User 
Anonymous User
A bit of theory - technical question
January 12, 2010 12:16PM
I should know this by now but I don't !

I was wondering where PB works, at what level.
From what I can see it is between the PC and the firewall, or is it ? I say this because, for instance, if I PING some address with PB enabled then that request is blocked by PB, if I disable PB and PING that address again then the request shows up as being blocked in the firewall log - so from the point of view of outgoing connections, PB seems to be situated between the PC and the firewall.

However, why is it that incoming calls from that same address don't show up in the firewall log but do in PB ???

I'd appreciate a lecture on this...

(Note : the above can only happen when ICMP requests are not allowed in the firewall.)
Re: A bit of theory - technical question
January 12, 2010 12:53PM
avatar
Our driver is loaded into the Windows networking stack.  To be honest I haven't yet delved too far into the driver layer, since most of the work we've been doing has been at the application level (the GUI program which talks to the driver, sending it configuration information and then logging/displaying the results). 

My understanding however is that as the name implies, this is a "stack" of drivers which have all signed up to filter/monitor network traffic passing through them.  Where in this stack is up to Windows, with one of the biggest factors being the type of driver you're using.  On Windows XP/2000 our driver is what's known as a "filter-hook driver", while on Windows Vista/7 we're a "WFP Application Layer Enforcement (ALE) layer Callout Driver".  (Yes, we're using an almost entirely different driver for XP/2000 versus Vista/7.)

For XP/2000, only one filter-hook driver can be present on the machine at a time.  Other filter-driver types - such as NDIS filter drivers - however can also be present, loaded elsewhere in the networking stack.  For Vista/7, there are many different "layers" throughout the networking stack, and many different filter drivers may be loaded within each layer.

So basically (and very simplified), what happens is that as a network connection makes it's way from an app on your PC out through the network cable (or wireless antenna) on your machine, it starts at the app and moves through various layers of the network stack.  For your case, the Ping command first hits PeerBlock's driver - PeerBlock then tells Windows to block this packet, so it stops travelling up the networking stack and never makes it to your Firewall.  Had PeerBlock NOT blocked this packet - either because it was not running, or because the IP address wasn't on a blocklist - it would have next gone on to your Firewall's driver who would have blocked (or at least logged) the connection attempt.

Make sense?

        ---  Mark  ---




Lead developer of PeerBlock
Anonymous User
Re: A bit of theory - technical question
January 12, 2010 03:49PM
Yes thanks Markside - that certainly makes sense and now I know a little bit more about networks and so on.
Sorry, only registered users may post in this forum.

Click here to login