Now Npcap can BLOCK the traffic instead of just inspecting packets. The Block-Rx adapters will reject all incoming packets except the ones injected by Npcap itself.
Steps for a firewall application:
- Set the adapter you want to add the firewall to as both a
Block-Rxandsend-to-Rxadapter. Npcap driver needs to be restarted. - Use
pcap_next_exto retrieve and parse all traffic on an adapter, make a decision (PassorDrop) based on your own way. - If the decision on a packet is
Pass, callpcap_sendpacketto reinject the packet to the same adapter. - If the decision on a packet is
Drop, do nothing. This packet will be dropped.
A firewall example is provided here:
https://github.com/hsluoyz/UserBridge
How to specify a Block-Rx adapter:
Npcap driver service's registry key is usually in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
In this key, you need to manually create a REG_SZ value named BlockRx, the value is the name of the adapter you want to be Block-Rx adapter. The name is usually like format of \Device\{F5A00000-E19A-4D17-B6D9-A23FE1852573}. You can query this value using Nmap's nmap --iflist command, you will get a similar value like \Device\NPF_{F5A00000-E19A-4D17-B6D9-A23FE1852573}, but they are NOT THE SAME. You need to remove the NPF_ in this string and copy it to registry's BlockRx value. Then reboot the driver by net stop npf and net start npf.
Block-Rx adapters can be multiple. The string specified in registry's BlockRx value should be semicolon-separated.