Configuring firewall rules
The core functionality of Windows Firewall with Advanced
Security is expressed by rules. A rule is
basically a set of criteria that determines whether a network packet
should be handled. The two basic types of rules you can configure in
Windows Firewall with Advanced Security are
-
Firewall rule A set of
criteria that specifies whether a particular type of traffic
passing between the local computer and other computers on the
network should be accepted (passed) or rejected (blocked).
-
Connection security rule A
set of criteria that specifies how traffic passing between the
local computer and other computers on the network should be
protected using IPsec.
As Figure 5
shows, you can use Windows Firewall with Advanced Security to
configure two types of firewall rules:
-
Inbound rule A rule that
specifies how incoming network traffic should be handled—that
is, traffic originating from other computers and having the
local computer as its destination.
-
Outbound rule A rule that
specifies how outgoing network traffic should be handled—that
is, traffic originating from the local computer and having other
computers or network devices as its destination.
Both inbound and outbound rules can be configured to either
allow (permit) or deny (block) traffic based on the criteria
contained in the rule. Because there are many types of network
traffic possible, Windows Firewall with Advanced Security also has
special rules called default rules that
determine how traffic should be handled when it doesn’t match any of
the criteria contained in any of the inbound and outbound rules.
Unless otherwise configured by the system’s administrator, the
default rules for all three firewall profiles are as follows:
-
Inbound default rule Block
all traffic originating from other computers and having the
local computer as its destination.
-
Outbound default rule Allow
all traffic originating from the local computer and having other
computers or network devices as its destination.
The inbound and outbound default rules for each firewall
profile can be configured on the corresponding tab of the properties
sheet of the root node in the Windows Firewall with Advanced
Security snap-in.
When a packet of network traffic is processed by Windows
Firewall with Advanced Security, one or more rules might apply to
that particular packet. Figure 6 shows that the
order in which rules are applied to both inbound and outbound
traffic is as follows:
-
Any rules that allow traffic that would otherwise be
blocked are applied first.
If the packet matches such a rule, the rule is applied and rules
processing stops at this point.
-
Rules that explicitly block traffic are applied second. If
the packet matches such a rule, the rule is applied and rules
processing stops at this point.
-
Rules that explicitly allow traffic are applied third. If
the packet matches such a rule, the rule is applied and rules
processing stops at this point.
-
The default rule is applied last.
When firewall rules are processed by Windows Firewall with
Advanced Security, as soon as a packet matches a rule, the rule is
applied and rules processing stops at that point. For example, if a
block rule (described in step 2) blocks a particular type of packet,
an allow rule (described in step 3) for the same type of packet
would not be applied because allow rules have a lower priority than
block rules. So the net result is to block that particular type of
packet.
Windows Firewall with Advanced Security includes a number of
predefined inbound and outbound rules. These rules are used for
filtering the different types of traffic associated with different
Windows features and services. As Figure 7 shows, these predefined
rules are grouped together into rule groups. Each rule group
contains one or more rules used to control traffic for a particular
Windows feature or service. For example, the Windows Remote
Management (HTTP-In) rule group contains two rules: one that applies
to only the public profile, and another that applies to both the
domain and private profiles.
