IP Firewall Application Development (Windows Embedded CE 6.0)
1/6/2010
The IP firewall is typically used on an Internet gateway device. It can also be used as a host firewall. The firewall helps protect the device on which it runs and helps to protect devices on the private side of the gateway. The firewall blocks IP traffic at the IP and transport layers.
This firewall uses rules to determine whether to block, allow, or log inbound or outbound traffic. Inbound traffic originates from a host on the public side of the firewall. Outbound traffic originates from either a host on the private side or the device that is running the firewall. The firewall implements stateful traversal for inbound traffic that was initiated from the private network.
The following illustration shows the public and private side of the firewall.
The following list shows the default settings for the firewall rules when no overriding registry entries are set:
- Block all inbound traffic, including IPSec traffic, except when the firewall is running with NAT and the inbound packet has been translated by a NAT port mapping.
- Allow all outbound traffic.
You can change the default settings by configuring the firewall. The common.reg file contains a number of default rules that override the default firewall state. For more information about the default firewall rules, see Default IP Firewall Rules.
You can enable or disable the firewall, create a new rule, change a rule, or disable a rule by using functions or registry keys.
Note
Disabled rules do not affect packet filtering or logging.
The following table shows some of the functions that perform each task.
Rule task | Programming element |
---|---|
Enable or disable the firewall |
|
Create a new firewall rule |
|
Delete a rule |
|
Get information about rules |
For a list of all of the firewall functions, see IP Firewall Reference.
Code samples of the IP firewall and firewall log are located in the %_WINCEROOT%\Public\Common\Sdk\Samples\Firewall directory.
When a host on the private side of the firewall tries to contact a host on the public side, the IP Firewall enables some types of ICMP protocol packets. This allows ICMP error messages to reach the private host in the event that an error occurs during delivery, if for example, a packet is dropped or the destination is unreachable. The IP Firewall sets a rule to enable this error message feedback. The following table shows the ICMP types that the firewall allows inbound.
ICMP version | ICMP types allowed |
---|---|
ICMPv4 |
|
ICMPv6 |
|
Although you can disable the ICMP messages, before doing so, you should consider the security implications: Debugging is more difficult, and you cannot detect that a packet delivery error has occurred. This may result in the inability to use tools, such as Ping and Tracert, or in the inability to reach some remote hosts.
If you want to disable ICMP, you can create a blocking rule that drops inbound ICMP packets of a specific type, or that drops all inbound ICMP packets.
For information about the firewall and security, see IP Firewall Security.
See Also
Reference
IP Firewall Reference
IP Firewall Logging Reference
Concepts
FIREWALL Module
IP Firewall Registry Settings