Default IP Firewall Rules
The file common.reg contains the default set of firewall rules that are required to provide security and interoperability. These rules are contained in the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules registry key. The following table shows the rules.
Security Note Changing firewall rule settings may have security implications.
| Name | Description |
|---|---|
| SourcePrivate | Default setting is the private subnet 192.168.0.1, mask 255.255.255.0.
This rule protects against a class of address faking, or spoofing, attacks. It blocks all inbound packets that have source address within the range of private subnet. If a different IP range is used for the private subnet, then you must change this address. |
| SourceBroadcast | This rule protects against a class of address imitating attacks. It blocks all inbound packets that have the source address set to the broadcast address of 255.255.255.255. |
| SourceLoopback | This rule protects against a class of address imitating attacks. It blocks all inbound packets that have a source address set to the loopback address of 127.0.0.1. |
| DHCPUnicastResponse | This rule allows the DHCP server response, UDP port 68. This rule is required to allow dynamic address configuration via DHCP. |
| BlockOutboundICMP | This rule stops potential attackers from fingerprinting a protected network by sending a packet to cause specific ICMP error responses. This rule blocks outbound ICMP messages. |
| AllowICMP_ECHO_REQUEST | This rule enables ping to work from a protected network and host. It allows an outbound ICMP_ECHO_REQUEST message, thus overriding the BlockOutboundICMP rule for this ICMP type. |
| 6to4 | This rule allows inbound IPv6 packets tunneled in IPv4 packets. This rule allows tunnel IPv6 protocols, like 6to4, to pass IPv4 firewall so that they can be filtered by IPv6 firewall. |
| RouterAdvertisementLink | Allow inbound ICMPv6_ROUTER_ADVERT message from a link local address. This rule is necessary for proper working of IPv6 stack. |
| NeighborSolicitLink | This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT message from a link local address. This rule is necessary for proper working of IPv6 stack. |
| NeighborSolicitSite | This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT message from a site local address. This rule is necessary for proper working of IPv6 stack. |
| NeighborAdvertLink | This rule allows inbound ICMPv6_NEIGHBOR_ADVERT message from a link local address. This rule is necessary for proper working of IPv6 stack. |
| NeighborAdvertSite | This rule allows inbound ICMPv6_NEIGHBOR_ADVERT message from a site local address. This rule is necessary for proper working of IPv6 stack |
| BlockOutboundICMPv6 | This rule blocks outbound ICMPv6 messages. This rule stops potential attackers from fingerprinting a protected network by sending a packet that will cause certain ICMP error responses. |
| AllowICMPv6_ECHO_REQUEST | This rule allows outbound ICMPv6_ECHO_REQUEST message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type, and thus enables IPv6 ping to work from protected network/host. |
| AllowICMPv6_NEIGHBOR_SOLICIT | This rule allows outbound ICMPv6_NEIGHBOR_SOLICIT message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack. |
| AllowICMPv6_ROUTER_SOLICIT | This rule allows outbound ICMPv6_ROUTER_SOLICIT message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack. |
See Also
IP Firewall | IP Firewall Registry Settings | IP Firewall Logging Registry Settings
Last updated on Tuesday, May 18, 2004
© 1992-2003 Microsoft Corporation. All rights reserved.