Filtering Conditions FOR Firewall RULES
Firewall rules can filter traffic based on a number of different conditions (see Table below). The effect of a rule is the logical AND of all these different conditions.
Filtering Conditions for Firewall Rules
| Condition | Possible Value |
| Protocol | Any Custom (Internet Assigned Numbers Authority [IANA] IP protocol number) TCP or UDP ICMPv4 or ICMPv6 Other protocols, including Internet Group Management Protocol [IGMP], HOPOPT, Generic Route Encapsulation [GRE], IPv6-NoNxt, IPv6-Opts, Virtual Router Redundancy Protocol [VRRP], Pragmatic General Multicast [PGM], Layer 2 Tunneling Protocol [L2TP], IPv6-Route, IPv6-Frag |
| Local Port (inbound TCP only) | All ports Specific ports RPC dynamic ports RPC end-point mapper IP over Hypertext Transfer Protocol Secure (HTTPS) (IP-HTTPS) |
| Local Port (inbound UDP only) | All ports Specific ports Edge traversal |
| Local port (outbound TCP only) | All ports Specific ports |
| Local port (outbound UDP only) | All ports Specific ports |
| Remote port (inbound TCP only) | All ports Specific ports |
| Remote port (inbound UDP only) | All ports Specific ports |
| Remote port (outbound TCP only) | All ports Specific ports IP-HTTPS |
| Remote port (outbound UDP only) | All ports Specific ports |
| ICMP Type Code (for ICMPv4 and ICMPv6) | All ICMP Types Specific types of ICMP traffic |
| Local IP address scope* | A specific IPv4 or IPv6 address or list of addresses A range of IPv4 or IPv6 addresses or list of ranges An entire IPv4 or IPv6 subnet or list of subnets |
| Remote IP address scope* | A specific IPv4 or IPv6 address or list of addresses A range of IPv4 or IPv6 addresses or list of ranges An entire IPv4 or IPv6 subnet or list of subnets A predefined set of computers-including local subnet, default gateway, DNS servers, WINS servers, or DHCP servers-or a list of such items |
| Profiles | Specify the profile(s) to which the rule applies; for example, Domain, Private, and/or Public |
| Interface type | All interface types Local area network Remote access Wireless |
| Edge traversal | Allow edge traversal Block edge traversal Defer to user Defer to application |
| Programs | All programs System, a special keyword that if used will restrict traffic to the System Process (useful for scoping traffic to any Kernel Mode driver such as Http.sys, Smb.sys, and so on) Specify path and .exe name to program executable (path can include environment variables) |
| Services** | Apply to all programs and services Apply to services only Apply to a specified service or to a service with the specified short name |
| User | Only allows connections from the specified users or groups of users (optionally with specified exceptions); this filtering condition can only be used when Allow This Connection If It Is Secure has been selected on the General tab of the rule's properties |
| Computer | Only allows connections from the specified computers or groups of computers (optionally with specified exceptions); this filtering condition can only be used when Allow This Connection If It Is Secure has been selected on the General tab of the rule's properties |
*When creating and configuring firewall rules, use the scope filtering condition wherever possible. For example, if you do network backup and need to allow incoming connections from the backup service, configure the scope so that Windows Firewall allows connections only from the backup server's IP address or network. Similarly, refine the scope for network management and remote administration tools to just those networks that require it.
**Firewall rules can allow or block services regardless of where their executables are located on the computer. Services can be specified by their service name, even if the service is implemented as a dynamic-link library (DLL). Programs are identified by specifying the application path. (Specifying DLLs is not supported.) In addition, the service needs to have an associated service SID for this scoping to work correctly. To verify this, use the sc qsidtype serviceshortname command to verify that the service SID is not set to NONE.
In this tutorial:
- Configuring Windows Firewall and IPsec
- Understanding Windows Firewall with Advanced Security
- Improvements to Windows Firewall Introduced Previously in Windows Vista
- Additional Improvements to Windows Firewall in Windows 7
- Understanding the Windows Filtering Platform
- Windows Firewall and the Startup Process
- Understanding Windows Service Hardening
- Understanding Service SIDs
- Windows Firewall and WSH
- Windows Firewall and Service Triggers
- Understanding Multiple Active Firewall Profiles
- Understanding Rules
- Understanding Firewall Rules
- Inbound vs . Outbound Rules
- Allow vs . Block Rules
- Allow If Secure Rules
- Authenticated Bypass Rules
- Filtering Conditions FOR Firewall RULES
- Understanding Connection Security Rules
- Types of Connection Security Rules
- Supported IPsec Settings for Connection Security Rules
- Default IPsec Settings for Connection Security Rules
- Windows Firewall and Windows PE
- Understanding Default Rules
- Understanding WSH Rules
- Understanding Rules Processing
- Managing Windows Firewall with Advanced Security
- Tools for Managing Windows Firewall with Advanced Security
- Managing Windows Firewall Using Control Panel
- Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
- Managing Windows Firewall Using Group Policy
- Considerations When Managing Windows Firewall Using Group Policy
- Managing Windows Firewall Using the Netsh Command
- Common Management Tasks
- Enabling or Disabling Windows Firewall
- Configuring Firewall Profiles and IPsec Settings by Using Group Policy
- Creating and Configuring Firewall Rules
- Creating and Configuring Connection Security Rules
- Monitoring Windows Firewall
- Troubleshooting Windows Firewall
- Troubleshooting Windows Firewall Using Firewall Logs
- Troubleshooting Windows Firewall Using Event Logs
- Troubleshooting Windows Firewall Using Auditing
- Troubleshooting IPsec Issues Using Netsh Wfp
- Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace