I have written a application based on the Windows 2000 Filter Hook Driver.

Basically the application was designed to run on a Windows 2000 server with
two Network interfaces. It monitors traffic between the two interfaces and
enforces security, performs proxy redirection, etc.

When the Windows 2000 Server is configured for routing mode and both
interfaces have real address subnets (in other words Network Address
Translation (NAT) and Internet Connection Firewall (ICF) are not enabled),
the hook correctly works and our application receives the packets (header
and payload).

However, when NAT or ICF is enabled (the network we are checking security
on does not have real addresses) the Packet pointer (payload) passed to
us is NULL. Therefore we can not look at the rest of the packet to make
a determination of what we should do. See this link for the call back
function description (parameter two is the one that we are not getting):

http://msdn.microsoft.com/library/en...bf7870.xml.asp

Why does the behavior of the Filter Hook Driver difer betwen NAT and routing
mode? I would think the behavior should be the same regardless.

Are you doing this as an IP Filter Hook driver, as documented in the DDK,
using the firewall hooks or hooking NDIS functions?

Have you tried this on Windows XP SP2 or Server 2003 SP1? And if so, did
you get a different result (I believe that ICF/ICS is quite different in
those platforms from W2K.

This might be worth opening a support incident for as this may take ongoing
interaction and research.

Bryan S. Burgin
bburgin@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.