Firewall Service Rules (Compact 2013)
3/26/2014
The Firewall Service uses Windows Filtering Platform (WFP) APIs to filter network traffic. Firewall Service rules are settings that determine how network traffic is filtered by representing WFP filters and conditions in the registry. You can create, update, or remove a rule by modifying the registry keys for the Firewall Service. Rules are only applied when the Firewall Service is running. When you modify a rule, the update is only applied after you reset the device or restart the Firewall Service.
We recommend the following steps when you create a rule.
- Consider how the rule can be represented by WFP filters and conditions.
- Write an application to add the filters and conditions to the stack by calling WFP APIs.
- Test the rule to ensure that it is working correctly.
- Obtain the key field values from the WFP filters.
- Convert the key field values to numeric format so they can be stored in the registry.
For details about the registry settings that are used to create rules, see Firewall Service Registry Settings.
The default Firewall Service rules are the initial Firewall settings for Windows Embedded Compact 2013. The following table describes the default Firewall Service rules.
Name |
Description |
---|---|
BlockInboundConnectionsV4 |
Blocks all inbound network connections for IPv4, including TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). This Firewall Service rule ensures that remote devices cannot connect to the device without permission from the Firewall Service. The registry values for this rule are:
|
BlockInboundConnectionsV6 |
Blocks all inbound network connections for IPv6, including TCP, UDP, and ICMP. This Firewall Service rule ensures that remote devices cannot connect to the device without permission from the Firewall Service. The registry values for this rule are:
|
BlockIcmpErrorV4 |
Blocks UDP port scanners for IPv4. The registry values for this rule are:
|
BlockIcmpErrorV6 |
Blocks UDP port scanners for IPv6. The registry values for this rule are:
|
Allow6to4 |
Allows 6to4 tunneling, which enables IPv6 to run over an IPv4 network. The registry values for this rule are:
|
AllowIcmpV6Type133 |
Allows ICMPv6 router solicitation messages, which are required for the IPv6 stack to work properly. The registry values for this rule are:
|
AllowIcmpV6Type134 |
Allows ICMPv6 router advertise messages, which are required for the IPv6 stack to work properly. The registry values for this rule are:
|
AllowIcmpV6Type135 |
Allows ICMPv6 neighbor solicitation messages, which are required for the IPv6 stack to work properly. The registry values for this rule are:
|
AllowIcmpV6Type136 |
Allows ICMPv6 neighbor advertise messages, which are required for the IPv6 stack to work properly. The registry values for this rule are:
|
BlockTcpRstOnCloseV4 |
Blocks TCP port scanners for IPv4. The registry values for this rule are:
|
BlockTcpRstOnCloseV6 |
Blocks TCP port scanners for IPv6. The registry values for this rule are:
|
Example
The following example code obtains and prints the key field values of a Windows Filtering Platform (WFP) filter and the conditions defined by the filter. You can use the DumpFilter function from the example code in your application after you have tested a WFP filter and its conditions in the TCP stack. After you call the DumpFilter example function to obtain the filter’s key field values and its conditions, you can use the Windows Filtering Platform APIs to convert them to a format that can be stored in the registry as a Firewall Service rule.
This example code supports only simple filters and conditions and might not be compatible with filters that contain complex conditions.
Important
For readability, the following code example does not contain security checking or error handling. Do not use the following code in a production environment.
#include <windows.h>
#include <fwpmu.h>
#define CHR(x) if (FAILED(x)) { hr = x; goto Error; }
void DumpMemory(PBYTE pBuf, DWORD size)
{
WCHAR buf[1024];
buf[0] = L'\0';
for (int i=0; i<size; ++i)
{
if ((i+1)%16==0)
{
wprintf(L"%s\n", buf);
buf[0]= L'\0';
}
swprintf(buf, L"%s %x", buf, *(pBuf + i));
}
wprintf(L"%s\n", buf);
}
void DumpFilter(FWPM_FILTER0 *pFilter)
{
HRESULT hr;
LPOLESTR pStr;
wprintf(L"Dump filter %s\n", pFilter->displayData.name);
CHR(StringFromCLSID(pFilter->layerKey, &pStr));
wprintf(L"\tlayerKey\t= %s\n", (LPCTSTR)pStr);
CoTaskMemFree(pStr);
wprintf(L"\tactionType\t= 0x%x\n", pFilter->action.type);
CHR(StringFromCLSID(pFilter->action.calloutKey, &pStr));
wprintf(L"\tactionCalloutKey\t= %s\n", (LPCTSTR)pStr);
CoTaskMemFree(pStr);
wprintf(L"\tweight\t= 0x%x\n", pFilter->weight.uint32);
if (pFilter->numFilterConditions > 0)
{
for (int i=0; i<pFilter->numFilterConditions; ++i)
{
FWPM_FILTER_CONDITION0* pCondition = pFilter->filterCondition + i;
wprintf(L"\tDump condition %d\n", i);
CHR(StringFromCLSID(pCondition->fieldKey, &pStr));
wprintf(L"\t\tfieldKey\t= %s\n", (LPCTSTR)pStr);
CoTaskMemFree(pStr);
wprintf(L"\t\tmatchType\t= 0x%x\n", pCondition->matchType);
wprintf(L"\t\tconditionType\t= 0x%x\n", pCondition->conditionValue.type);
switch (pCondition->conditionValue.type)
{
// None pointer types
case FWP_UINT8:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint8);
break;
}
case FWP_UINT16:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint16);
break;
}
case FWP_UINT32:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint32);
break;
}
case FWP_INT8:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int8);
break;
}
case FWP_INT16:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int16);
break;
}
case FWP_INT32:
{
wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int32);
break;
}
case FWP_FLOAT:
{
// Not used.
break;
}
// Treat others as pointer type
default:
{
DWORD size = sizeof(FWP_V4_ADDR_AND_MASK);
DumpMemory((PBYTE)pCondition->conditionValue.byteBlob, size);
break;
break;
}
}
}
}
Error:
return;
}
See Also
Reference
Firewall Service Registry Settings