Using WFP filter to allow pair of port and ip

Question

I'd like to have firewall that isolate my device from network with exception of few port/ip pairs that I wish to allow.

For example, in order to allow certain port (for all ip addresses) i use the following filter:

FWPM_FILTER_CONDITION0 conditions[2];

conditions[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
conditions[0].conditionValue.type = FWP_UINT16;
conditions[0].conditionValue.uint16 = port;

conditions[1].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
conditions[1].conditionValue.type = FWP_UINT8;
conditions[1].conditionValue.uint32 = 0;
conditions[1].matchType = FWP_MATCH_GREATER_OR_EQUAL;

Filter.subLayerKey = myGUID;
Filter.displayData.name = L"myFirewall";
Filter.action.type = FWP_ACTION_PERMIT;
Filter.weight.type = FWP_UINT64;

uint64 weightvalue = 0x102;

Filter.weight.uint64 = &weightvalue;
Filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
Filter.filterCondition = conditions;
Filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V4
Filter.numFilterConditions = 2;

This filter allow packets with a single dest port disregarding of its ip. How do I add specific ip to the filter condition ?

thanks

Answer 1

The filter condition to match a remote IP address

conditions[1].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
conditions[1].conditionValue.type = FWP_V4_ADDR_MASK;
conditions[1].conditionValue.v4AddrMask = new FWP_V4_ADDR_AND_MASK;
conditions[1].conditionValue.v4AddrMask->addr = ip;
conditions[1].conditionValue.v4AddrMask->mask = VISTA_SUBNET_MASK;
conditions[1].matchType = FWP_MATCH_EQUAL;