Program Client Whitelist

JSON Reference

Firewall-Local

This checks for a connection to a local machine port, and the associated program behind it. If it matches, the connection proceeds. If not, the connection initiation is abandoned.

There is a single inline string value parameter:

  • Absolute program file path -

Example

"Firewall-Local":"C:\Program Files\TightVNC\TightVNC.exe"

Properties

  • Activation Phase = Top Down

  • Type = Step

  • Stream Interaction = One Off

  • Network terminating = No

  • JSON Value Type = inline string

  • Initiator = No

Implementation

This component can make sure only a single program on your computer can connect to the local service point that tunnels to the remote endpoint. This means, that only the specified application will be able to connect to that port, others will be disconnected.

This makes the tunnel more secure. With a traditional PPTP VPN system, if malware infects your PC and the VPN connection is active, it's able to connect to devices on that VPN without detection. The local firewall provides tight control around what software application is allowed to access a single host and port.

It works by

  1. Analysing the tunnel configuration at the initiation stage.

  2. It looks up the chain of duct points for the first one, and if it isn't a supported type, it fails

  3. If the remote endpoint IP address isn't localhost, it fails

  4. It then uses p-invoking on iphlpapi.dll to get the table of bindings between port and application

  5. If the remote endpoint IP and port isn't found it fails

  6. If it's found, it checks the application path, if it doesn't match expectation it fails

Technically, this duct type is not a duct, but a process step. Although it could be argued that on one side is this Firewall-Local duct-point, and the other side is the application itself (and it's name). It's a stretch though.