Windows 7 / Networking

Rule Scope

A rule scope allows you to specify whether a rule applies to specific source and destination addresses. If you want to create a rule that allows a particular type of traffic but want to limit that traffic to a particular set of network addresses, you need to modify the rule's scope. You can specify a scope when creating a custom rule, but not a standard program or port rule. For these rule types, you can specify the scope by editing the rule's properties after it has been created. You can specify Internet Protocol (IP) addresses or IP address ranges, or use one of the predefined sets of computers that include the Default Gateway, Windows Internet Naming Service (WINS) servers, Dynamic Host Configuration Protocol (DHCP) servers, Domain Name System (DNS) servers, and Local Subnet. You can specify both IPv4 and IPv6 addresses and ranges when configuring a rule's scope.

To modify a rule's scope, perform the following actions:

  1. Right-click the rule in the WFAS console and then choose Properties. This opens the Properties dialog box for the rule. Click the Scope tab.
  2. If you want to limit the local IP address that the rule applies to (for example, when more than one address is assigned to a network adapter or there are multiple network adapters on your computer), select the These IP Addresses option below Local IP Address. Click Add and specify which address or addresses the rule applies to.
  3. If you want to limit the remote IP address that the rule applies to (for example, when you want the rule to only apply to inbound traffic from a specific subnet), select the These IP Addresses option under Remote IP Addresses and click Add to specify the individual IP addresses, network address, or IP address range.

You can use the Advanced options of a rule's properties to specify which network interfaces the rule applies to. This is similar to limiting the local IP addresses that the rule applies to, except it is done by selecting a particular device, not the address attached to that device. On the Advanced tab, you can also configure how a rule responds to traffic that has passed through an edge device such as a Network Address Translation (NAT) router. The options are:

  • Block edge traversal When selected, the target of the rule is blocked from receiving unsolicited traffic from the Internet through a NAT device.
  • Allow edge traversal When selected, the target of the rule will process unsolicited traffic directly from the Internet through a NAT device.
  • Defer to user When selected, the user receives a message informing them of incoming traffic from a NAT device. If the user has sufficient privileges, they can block or allow communication manually.
  • Defer to application When selected, application settings determine whether incoming traffic from a NAT device is accepted or rejected.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Firewall and Remote Management
  2. Managing Windows Firewall
  3. Windows 7 Firewall
  4. Network Location Awareness
  5. Allowing Programs Through Windows Firewall
  6. Windows Firewall with Advanced Security
  7. Creating WFAS Rules
  8. Rule Scope
  9. Connection Security Rules
  10. Importing and Exporting Firewall Configuration
  11. Managing WFAS with Netsh
  12. Windows 7 Remote Management
  13. Remote Desktop
  14. Configuring Remote Desktop
  15. Remote Assistance
  16. Windows Remote Management Service
  17. Windows Remote Shell for Remote Management
  18. Windows PowerShell Remote Management