About Windows Firewall Rules
Firewall rules are a built-in feature in the Windows Advanced Firewall, that makes it possible to configure “Allow” or “Block” rules for incoming and outgoing traffic to and from the computer. It is also possible to enable a firewall rule to require IPsec authentication.
Unlike connection security rules, it is possible to configure firewall rules to require membership in a specific domain group in order to be allowed to connect.
All Firewall Rules View
- Name: The name of the firewall rule.
- Group: Shows if grouping has been defined for the firewall rule.
- Action: Specifies whether the action of the Firewall Rule is “Allow” or “Block”.
- Protocol: : Specifies the protocol for the firewall rule.
- Date Modified: Shows the last time a change was made to the firewall rule.
- Actions: A shortcut Actions menu to copy, edit and remove a firewall rule.
Manage Firewall rules
When creating or editing a firewall rule, the user is presented with the following form to fill with information:
- Name: The name of this firewall rule. Consider using a name that describes well the function of the rule, for exaple: “FW-Allow-SQL-TCP-1433”.
- Description: Here you can enter notes about this rule.
- Direction: Specifies whether the rule applies to outbound or inbound communication. Normally, inbound rules are created but we support both scenarios.
- Action: Specifies whether the action of the firewall rule is “Allow” or “Block”.
- Protocol: : Indicates the protocol for the firewall rule.
- LocalPorts: Here you specify the local ports that the firewall rule affect. If you want to user RemotePorts you will find this under the Advanced Tab. If not configured RemotePorts will be configured as ANY.
- Program: Here you specify the path to the application the firewall rule affects.
- Group: Here you can enter a specific grouping of your choice. Windows Firewall comes configured out of the box with several groupings of firewall rules. Examples of these are “File and Printer Sharing” and “Core Networking”. These default rules groupings should not be modified, but new ports defined by an administrator can be assigned to a custom grouping.
- Enable IP restrictions: Toggle this to enble Edit IP Scopes part of a rule.
- Enable authentication and encryption: Toggle this for domain isolation configuration. Please see chapter on Domain and Server isolation for mor information on how and why to configure IP-Sec.
When creating or editing a firewall rule you are able to restrict a rule based on IP scope definitions:
This tab show where this firewall rule is used. i.e. What policy uses this firewall rule.
This view is intended for informational display purposes only and does not allow for any configurational changes.
This tab shows advanced information settings and is used for more fine-grained configurations.
- Interface Alias: Specifies which network connections are subject to the requirements of this rule.
- Service: Specifies the short name of a service to which the firewall rule applies.
- Remote Port: Specifies the remote ports affected by the firewall rule.
- Dynamic Target: Specifies a dynamic transport.
- Platform: Specifies to which version of Windows the associated rule applies.
- Source Mapping: This parameter specifies the firewall rules for local only mapping.
- Local Only Mapping
- Loose Source Mapping
- Interface types: Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule.
- Local area network
- Remote access
- Edge Traversal Policy: Specifies that matching firewall rules of the indicated edge traversal policy are modified.
- Block: Prevents applications from receiving unsolicited traffic from the Internet through a NAT edge device.
- Allow: Allows applications to receive unsolicited traffic directly from the Internet through a NAT edge device.
- Defer to user: Allows the user to decide whether to allow unsolicited traffic from the Internet through a NAT edge device when an application requests it.
- Defer to Application: Allows each application to determine whether to allow unsolicited traffic from the Internet through a NAT edge device.
Here you choose the security level of the firewall rule if you have selected “Enable authentication and encryption” under the General tab. Choices are “Authentication”, “Dynamic Encryption” or “Null Encapsulation”.
Dynamic Encryption will enable encryption for the communication over the specified port. The traffic will be IPsec-authenticated as well.
Null Encapsulation will enable IPsec authentication but no AH or ESP protection on the data packet. This enables IPsec authentication in environments with legacy equipment that lacks support for AH or ESP.
- Not Required
- Not Required
- No Encapsulation
The History tab shows any configuration that has been performed for this rule, when they where performed and by whom.
This view is intended for information display purposes only and does not allow for any configuration changes.