Windows 7 / Networking

---

Filtering Conditions FOR Firewall RULES

Firewall rules can filter traffic based on a number of different conditions (see Table below). The effect of a rule is the logical AND of all these different conditions.

Filtering Conditions for Firewall Rules

Condition	Possible Value
Protocol	Any Custom (Internet Assigned Numbers Authority [IANA] IP protocol number) TCP or UDP ICMPv4 or ICMPv6 Other protocols, including Internet Group Management Protocol [IGMP], HOPOPT, Generic Route Encapsulation [GRE], IPv6-NoNxt, IPv6-Opts, Virtual Router Redundancy Protocol [VRRP], Pragmatic General Multicast [PGM], Layer 2 Tunneling Protocol [L2TP], IPv6-Route, IPv6-Frag
Local Port (inbound TCP only)	All ports Specific ports RPC dynamic ports RPC end-point mapper IP over Hypertext Transfer Protocol Secure (HTTPS) (IP-HTTPS)
Local Port (inbound UDP only)	All ports Specific ports Edge traversal
Local port (outbound TCP only)	All ports Specific ports
Local port (outbound UDP only)	All ports Specific ports
Remote port (inbound TCP only)	All ports Specific ports
Remote port (inbound UDP only)	All ports Specific ports
Remote port (outbound TCP only)	All ports Specific ports IP-HTTPS
Remote port (outbound UDP only)	All ports Specific ports
ICMP Type Code (for ICMPv4 and ICMPv6)	All ICMP Types Specific types of ICMP traffic
Local IP address scope*	A specific IPv4 or IPv6 address or list of addresses A range of IPv4 or IPv6 addresses or list of ranges An entire IPv4 or IPv6 subnet or list of subnets
Remote IP address scope*	A specific IPv4 or IPv6 address or list of addresses A range of IPv4 or IPv6 addresses or list of ranges An entire IPv4 or IPv6 subnet or list of subnets A predefined set of computers-including local subnet, default gateway, DNS servers, WINS servers, or DHCP servers-or a list of such items
Profiles	Specify the profile(s) to which the rule applies; for example, Domain, Private, and/or Public
Interface type	All interface types Local area network Remote access Wireless
Edge traversal	Allow edge traversal Block edge traversal Defer to user Defer to application
Programs	All programs System, a special keyword that if used will restrict traffic to the System Process (useful for scoping traffic to any Kernel Mode driver such as Http.sys, Smb.sys, and so on) Specify path and .exe name to program executable (path can include environment variables)
Services**	Apply to all programs and services Apply to services only Apply to a specified service or to a service with the specified short name
User	Only allows connections from the specified users or groups of users (optionally with specified exceptions); this filtering condition can only be used when Allow This Connection If It Is Secure has been selected on the General tab of the rule's properties
Computer	Only allows connections from the specified computers or groups of computers (optionally with specified exceptions); this filtering condition can only be used when Allow This Connection If It Is Secure has been selected on the General tab of the rule's properties

*When creating and configuring firewall rules, use the scope filtering condition wherever possible. For example, if you do network backup and need to allow incoming connections from the backup service, configure the scope so that Windows Firewall allows connections only from the backup server's IP address or network. Similarly, refine the scope for network management and remote administration tools to just those networks that require it.

**Firewall rules can allow or block services regardless of where their executables are located on the computer. Services can be specified by their service name, even if the service is implemented as a dynamic-link library (DLL). Programs are identified by specifying the application path. (Specifying DLLs is not supported.) In addition, the service needs to have an associated service SID for this scoping to work correctly. To verify this, use the sc qsidtype serviceshortname command to verify that the service SID is not set to NONE.