
	1. HeXHub's firewall (DDoSflt.sys) is a supplement to your existing firewall, so if you have any other firewall don't uninstall or disable it. DDoSflt will not protect you from hacking attempts or from results of executing malware on your computer, and will also not protect you from all denial of service attack types or exploits. Actions of DDoSflt (current version) are simple: restrict rate of SYN packets per opened / closed ports, restrict outgoing ICMP traffic (that would be sent, for example, in case of an UDP flood attack on a port that is not open), detect port scans, filter traffic from banned[0] users and filter DDoS traffic (most common forms of DDoS attacks used against hubs).


	2. Possible problems some hub owners had so far:

2.1. All internet traffic is blocked - this happens when one or more other firewalls are installed in the system running HeXHub's firewall, and the other firewalls are blocking all traffic from DDoSflt. This happens if the computer was not restarted since DDoSflt was installed for the first time. Restarting the computer (without unregistering DDoSflt) resolves this problem.
2.2. 'Firewall not loaded' - click "Load driver"
2.3. 'Firewall cannot be loaded in this system' - are you running Windows 95/98 ? If not, post on forum which OS are you running and you will probably get an answer to your problem.
2.4. 'Error opening Service Control Manager database' - login with an account that has administrative privileges and try again.
2.5. 'Error opening service handle' - this happens if you have more than one hub on same host that use the firewall and you clicked "Unregister" in only one of them. To be able to use the firewall you need to close all its opened handles (Unload it from all hubs that use it then try to re-register and reload it).


	3. Using DDoSflt in your applications

	To use DDoSflt in other programs than HeXHub you need to register it as a system  driver (if it's not already registered) then you can obtain a handle to driver by opening a file called \\.\DDoSflt .
	Firewall functions can be called with DeviceIoControl (DDoSflt) or FirewallIOCTL (firewall plugins).
	IoControl codes (needed for DeviceIoControl) are as following:

0x2220c0 = IOCTL_START
	Input:	none
	Output:	none

	After loading the driver, call this function to install firewall hook.

0x2220c4 = IOCTL_STOP
	Input:	none
	Output:	none

	Call this function to disable the firewall without unloading it.

0x2220c8 = IOCTL_DDOSADDIP
	Input:	a DWORD containing an IP address
	Output:	none

	This function notifies the firewall that a DDoS attack is in progress and adds an IP to DDoS filter. Until IOCTL_DDOSSTOP is called, all traffic from IPs that are in DDoS filter will be filtered.

0x2220cc = IOCTL_DDOSSTOP
	Input:	none
	Output:	none

	This function notifies the firewall that DDoS attack was stopped, the function will delete the DDoS filter.

0x2220d0 = IOCTL_BAN0
	Input:	two DWORDs containing an IP range
	Output:	none

	This function sets a ban on an IP range.

0x2220d4 = IOCTL_GETFLT
	Input:	none
	Output:	DWORD

	This function returns the number of filtered TCP/SYN packets that were sent from IPs found in DDoS filter.

0x2220d8 = IOCTL_REMOVE
	Input:	two DWORDs containing an IP range
	Output:	none

	Use this function to unban an IP range.

0x2220dc = IOCTL_GETVER
	Input:	none
	Output:	DWORD

	Use this function to query driver's version. Low byte contains major version number.

0x2220e0 = IOCTL_OPTIONS
	Input:	a FirewallParametersInfo structure
	Output:	none

	This function will change firewall's parameters (see 4.1.)

0x2220e4 = IOCTL_ADDPORT
	Input:	a port_info structure
	Output:	none

	This function will register a port used by hub and will set maximum allowed SYN packets / second allowed from all users

0x2220e8 = IOCTL_DELPORT
	Input:	port value in network byte order
	Output:	none

	This function unregisters a port that was registered using IOCTL_ADDPORT

0x2220ec = IOCTL_GETSTATS
	Input:	none
	Output:	a FirewallStatistics structure (see 4.3.)

	This function retrieves and resets firewall's statistics

0x2220f0 = IOCTL_PORTSTATS
	Input:	port value in network byte order
	Output:	a port_info structure

	This function retrieves statistics for specified ports (member synRate of port_info structure will have median SYN packets / second value). Use 0 as port value to get statistics for unregistered ports (a median value for all ports).

0x2220f4 = IOCTL_ABOUT
	Input:	none
	Output:	a 512 bytes string

	This function returns firewall's version and copyright information as an ASCIIZ string.

0x2220f8 = IOCTL_LOOKUP
	Input:	two DWORDs containing an IP range
	Output:	DWORD

	This function returns information about an IP range as a combination of flags (one or more bans may be found).
		bit 0 = exact IP range was found in banlist
		bit 1 = this range is intersected with a banned range
		bit 2 = this range is fully included in a bigger range ban
		bit 3 = this range fully includes a smaller banned range

0x2220fc = IOCTL_GETCFG
	Input:	none
	Output:	a FirewallParametersInfo structure

	This function will retrieve current firewall configuration (see 4.1.)

0x222100 = IOCTL_DDOSCNT
	Input:	none
	Output:	DWORD

	This function retrieves number of IPs in DDoS filter

0x222104 = IOCTL_DDOSFLT
	Input:	DWORD
	Output:	DWORD[input_value]

	This function returns specified number of IPs from DDoS filter.

0x22210c = IOCTL_GETPROTO
	Input: none
	Output: 3 tables of 256 dwords each

	This function returns IP protocol statistics used by !stats ip. All tables have 256 dwords, the 80-bit protocol identifier is an index in each table. First table contains number of sent packets since last call to IOCTL_CLRPROTO, second table contains number of sent packets and third table contains last IP that send or received last packet.

0x222110 = IOCTL_CLRPROTO
	Input: none
	Output: none

	This function clears protocol statistics tables.

0x222114 = IOCTL_ENUMBANS (DDoSflt 1.07+)
	Input: DWORD (a 0-based index in firewall's banlist)
	Output: two DWORDs containing an IP range

	This function returns an entry from firewall's banlist.


	4. Structures used by firewall

4.1. FirewallParametersInfo

	typedef struct _FirewallParametersInfo{
		WORD	pcapFlags;	// bit 0 = WinPCap is enabled, bit 1 = detection of adapters was completed (this WORD is not used by version 1.03 of DDoSflt)
		WORD	pcapAdapters;	// mask of enabled / disabled adapters used by WinPCap procedures (this WORD is not used by version 1.03 of DDoSflt)
		DWORD	pcapTimer;	// timeout for capturing packets using WinPCap procedures (not used by version 1.03 of DDoSflt)
		BYTE	pcapSyn;	// maximum number of TCP/SYN packets per second allowed from one IP
		BYTE	pcapUdp;	// maximum number of UDP packets per second allowed from one IP
		BYTE	pcapIcmp;	// maximum number of ICMP packets per second allowed from one IP
		BYTE	firewallFlags;	// bit 0 = firewall is registered
					// bit 1 = firewall is started
					// bit 2 = maximum SYN/second on hub's registered ports will be checked
					// bit 3 = maximum SYN/second on unregistered ports will be checked
					// bit 4 = ICMP traffic will be blocked
					// bit 5 = TCP/RST packets will not be sent (will be filtered)
					// bit 6 = if flood is detected, the application will call the firewall to set a _ban0_ (not used by firewall)
					// bit 7 = if flood is detected, a notification message will be sent in opchat (not used by firewall)
		WORD	hubSyn;		// maximum SYN rate allowed for one of registered hub's ports
		WORD	otherSyn;	// maximum SYN rate allowed for non-registered ports
	} FirewallParametersInfo;

4.2. port_info

	typedef struct _port_info{
		WORD	port;		// port value in network byte order
		int	synRate;	// maximum number of TCP/SYN packets per second allowed from all users
	} port_info;

4.3. FirewallStatistics

	typedef struct _FirewallStatistics{
		syn_str	synFlood;	// information about last SYN packets received
		syn_str	udpFlood;	// information about last UDP packets received
		syn_str	icmpFlood;	// information about last ICMP packets received
		DWORD	fltSyn;		// number of filtered TCP/SYN packets that were sent from IPs found in DDoS filter
		DWORD	fltBan;		// number of filtered packets sent from banned[0] IPs
		DWORD	fltPort;	// number of filtered SYN packets sent to hub's ports if flood was detected
		DWORD	pchklast;	// internally used by firewall, pointer to a syn_info structure in driver's allocated memory
	} FirewallStatistics;

4.4. syn_str

	typedef struct _syn_str{
		BYTE	syn_idx;	// index in s_info array
		BYTE	is_flood;	// 0 = no flood was detected
					// 1 = flood was detected
					// 2 = port scan detected
					// 3 = SYN flood was detected
					// 4 = UDP flood was detected
					// 5 = ICMP flood was detected
		DWORD	last_ip;	// last IP that was detected as flooding
		syn_info s_info[20];	// array with information about last packets
	} syn_str;

4.5. syn_info

	typedef struct _syn_info{
		DWORD	timer1;		// number of milliseconds since firewall was started
		DWORD	lastIp;		// sender's IP (network byte order)
		DWORD	lastDstIp;	// destination IP (network byte order)
		DWORD	lastPort;	// destination port (network byte order)
		WORD	isFlood;	// 0 = no flood was detected, 1 = flood was detected
		WORD	checkSum;	// packet checksum delta (not used by version 1.03)
	} syn_info;
