diff options
| author | David Lönnhager <david.l@mullvad.net> | 2020-10-09 13:49:27 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2020-10-12 11:34:13 +0200 |
| commit | 10fcce3f786d010964926fed75bd091ab3d568c7 (patch) | |
| tree | 472e24420a71db8fcfedb3ec1c344ec6ed412db9 | |
| parent | cd9a1c5121dcdc9d4631e4c969349ed57b81ca86 (diff) | |
| download | mullvadvpn-10fcce3f786d010964926fed75bd091ab3d568c7.tar.xz mullvadvpn-10fcce3f786d010964926fed75bd091ab3d568c7.zip | |
Update WinFw readme
| -rw-r--r-- | windows/winfw/README.md | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/windows/winfw/README.md b/windows/winfw/README.md index 6c4f456bed..59e21afebb 100644 --- a/windows/winfw/README.md +++ b/windows/winfw/README.md @@ -4,11 +4,13 @@ # Organization of sublayers -`winfw` uses a design that involves two different types of sublayers: +In its initialized state, `winfw` uses a design that involves two different types of sublayers: - The baseline sublayer - Other sublayers +When `winfw` is deinitialized, it may create a persistent sublayer to continue applying some policies. Other sublayers and their filters are removed at this time. + ## Baseline sublayer The baseline sublayer is weighted the highest to ensure it sees all traffic first. It contains a large number of permit-filters, with a different subset of them being activated by different policies. The permit-filters are all weighted the same and have the highest possible weight. It doesn't matter which filter sees the traffic first. If traffic is matched by a permit-filter, it's "lifted" out of the sublayer and processing is resumed with the next sublayer. @@ -25,6 +27,10 @@ Same as the baseline sublayer, these sublayers use a design with highly weighted As an example, we have a sublayer that's dedicated to filtering DNS. Traffic that's not related to DNS will still be sent through it, but all the filters we install must deal only with DNS. This way we can install permit-filters with specific conditions that effectively whitelist the traffic we deem safe. To round it off there's a lower-weighted blocking filter that blocks all DNS. +## Persistent sublayer + +The persistent sublayer is only active when `winfw` is deinitialized and instructed to continue enforcing a blocking policy. It has the highest weight possible and only contains blocking filters that match all traffic. These filters ensure that all traffic will be blocked until `winfw` is reinitialized, including at boot-time before BFE is running. Unlike the other sublayers, this sublayer persists even if BFE is restarted (e.g., by rebooting). + ## Advantages of current design - Predictable sublayer weights. |