IFWXIpFilter Interface

The IFWXIpFilter interface is the application filter interface that represents an IP filter, which specifies the ranges of IP addresses for which a connection or socket is allowed to function. Use this interface to ensure that secondary and emulated connections are secure.

Syntax

interface IFWXIpFilter : IUnknown

Methods

The IFWXIpFilter interface inherits the methods of the IUnknown interface.

In addition, IFWXIpFilter defines the following methods.

Method Description

IncludeRange

Includes a range of IP addresses in the IP filter.

ExcludeRange

Excludes a range of IP addresses from the IP filter.

IncludeFilter

Includes the ranges of IP addresses represented by an existing IP filter in the IP filter.

ExcludeFilter

Excludes the ranges of IP addresses represented by an existing IP filter from the IP filter.

IsIncluded

Checks if a particular IP address is included in the ranges of those allowed by the IP filter.

Compare

Compares the IP ranges of two IP filters.

Clone

Returns a copy of an IP filter. The copy will contain the same ranges of IP addresses as the original.

Remarks

There are situations in which an application filter is responsible for limiting which IP addresses are allowed access, including:

  • The case of a secondary inbound connection, as occurs in use of the FTP protocol. Use the IFWXIpFilter interface in the FTP scenario to restrict access to the inbound socket of the secondary connection. For example, an FTP application filter opens a secondary connection with a range that includes only the IP address of the FTP server. All IP packets with a source address that is not the IP address of the FTP server will be rejected by the packet filter driver if they are addressed to the socket that the FTP application filter created for the secondary connection.
  • The case of a secondary or emulated connection in a publishing scenario.

For security purposes, the application filter should define an IP filter, which specifies the ranges of IP addresses for which a particular connection or socket is allowed. The IFWXIpFilter interface is where you specify those ranges of IP addresses.

Note  If you set the ranges of IP addresses equal to NULL, all IP addresses will be allowed to connect.

Requirements

Server Requires Windows Server 2008 R2 or Windows Server 2008 x64 Edition with SP2.
Version Requires Forefront Threat Management Gateway (TMG) 2010.
Header

Declared in Wspfwext.idl.

See Also

Filter Interfaces
IFWXConnection
IFWXFirewall::CreateIpFilter
IFWXNetworkSocket
IFWXSession

Send comments about this topic to Microsoft

Build date: 6/30/2010