Programming the Windows firewall

Tailscale, a zero-configuration networking solution, requires interaction with the Windows firewall to function correctly, particularly for allowing incoming WireGuard tunnels. The core of Windows firewalling is the Windows Filtering Platform (WFP), which manages packet filtering rules through in-kernel and userspace facilities. While most users interact with Windows Defender Firewall for basic configuration, more advanced users can directly access WFP via its API for automated or complex firewall rule management. This process involves creating sessions and rules within WFP layers, which are inspection points in the packet processing flow, to allow or block specific traffic based on detailed connection information. The concept of sublayers enables the coexistence of different sets of filtering rules, with rule priority determined by weights. Tailscale uses the inet.af/wf package in Go for managing Windows firewall rules, aiming to streamline connectivity and enhance centralized Access Control List (ACL) enforcement, with the package still open to contributions for improvements.