次の方法で共有


Firewall Service Rules (Compact 2013)

3/26/2014

The Firewall Service uses Windows Filtering Platform (WFP) APIs to filter network traffic. Firewall Service rules are settings that determine how network traffic is filtered by representing WFP filters and conditions in the registry. You can create, update, or remove a rule by modifying the registry keys for the Firewall Service. Rules are only applied when the Firewall Service is running. When you modify a rule, the update is only applied after you reset the device or restart the Firewall Service.

We recommend the following steps when you create a rule.

  • Consider how the rule can be represented by WFP filters and conditions.
  • Write an application to add the filters and conditions to the stack by calling WFP APIs.
  • Test the rule to ensure that it is working correctly.
  • Obtain the key field values from the WFP filters.
  • Convert the key field values to numeric format so they can be stored in the registry.
    For details about the registry settings that are used to create rules, see Firewall Service Registry Settings.

The default Firewall Service rules are the initial Firewall settings for Windows Embedded Compact 2013. The following table describes the default Firewall Service rules.

Name

Description

BlockInboundConnectionsV4

Blocks all inbound network connections for IPv4, including TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). This Firewall Service rule ensures that remote devices cannot connect to the device without permission from the Firewall Service.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
  • actionType=FWP_ACTION_BLOCK
  • weightValue=0x0A

BlockInboundConnectionsV6

Blocks all inbound network connections for IPv6, including TCP, UDP, and ICMP. This Firewall Service rule ensures that remote devices cannot connect to the device without permission from the Firewall Service.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
  • actionType=FWP_ACTION_BLOCK
  • weightValue=0x0A

BlockIcmpErrorV4

Blocks UDP port scanners for IPv4.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_OUTBOUND_ICMP_ERROR_V4
  • actionType=FWP_ACTION_BLOCK
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE;
  • condition.matchType=FWP_MATCH_EQUAL;
  • condition.conditionValue.type=FWP_UINT16;
  • condition.conditionValue=0x03;

BlockIcmpErrorV6

Blocks UDP port scanners for IPv6.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_OUTBOUND_ICMP_ERROR_V6
  • actionType=FWP_ACTION_BLOCK
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE;
  • condition.matchType=FWP_MATCH_EQUAL;
  • condition.conditionValue.type=FWP_UINT16;
  • condition.conditionValue=0x03;

Allow6to4

Allows 6to4 tunneling, which enables IPv6 to run over an IPv4 network.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
  • actionType=FWP_ACTION_PERMIT
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_IP_PROTOCOL
  • condition.matchType=FWP_MATCH_EQUAL
  • condition.conditionValue.type=FWP_UINT8
  • condition.conditionValue=0x29

AllowIcmpV6Type133

Allows ICMPv6 router solicitation messages, which are required for the IPv6 stack to work properly.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
  • actionType=FWP_ACTION_PERMIT
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE
  • condition.matchType=FWP_MATCH_EQUAL
  • condition.conditionValue.type=FWP_UINT16
  • condition.conditionValue=0x85

AllowIcmpV6Type134

Allows ICMPv6 router advertise messages, which are required for the IPv6 stack to work properly.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
  • actionType=FWP_ACTION_PERMIT
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE
  • condition.matchType=FWP_MATCH_EQUAL
  • condition.conditionValue.type=FWP_UINT16
  • condition.conditionValue=0x86

AllowIcmpV6Type135

Allows ICMPv6 neighbor solicitation messages, which are required for the IPv6 stack to work properly.

The registry values for this rule are:

  • layerKey= FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
  • actionType=FWP_ACTION_PERMIT
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE
  • condition.matchType=FWP_MATCH_EQUAL
  • condition.conditionValue.type=FWP_UINT16
  • condition.conditionValue=0x87

AllowIcmpV6Type136

Allows ICMPv6 neighbor advertise messages, which are required for the IPv6 stack to work properly.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
  • actionType=FWP_ACTION_PERMIT
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_ICMP_TYPE
  • condition.matchType=FWP_MATCH_EQUAL
  • condition.conditionValue.type=FWP_UINT16
  • condition.conditionValue=0x88

BlockTcpRstOnCloseV4

Blocks TCP port scanners for IPv4.

The registry values for this rule are:

  • layerKey=FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD
  • actionType=FWP_ACTION_CALLOUT_TERMINATING
  • actionCalloutKey=FWPM_CALLOUT_WFP_TRANSPORT_LAYER_V4_SILENT_DROP
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_FLAGS
  • condition.matchType=FWP_MATCH_FLAGS_NONE_SET
  • condition.conditionValue.type=FWP_UINT32;
  • condition.conditionValue=FWP_CONDITION_FLAG_IS_LOOPBACK;

BlockTcpRstOnCloseV6

Blocks TCP port scanners for IPv6.

The registry values for this rule are:

  • layerKey= FWPM_LAYER_INBOUND_TRANSPORT_V6_DISCARD
  • actionType=FWP_ACTION_CALLOUT_TERMINATING
  • actionCalloutKey=FWPM_CALLOUT_WFP_TRANSPORT_LAYER_V6_SILENT_DROP
  • weightValue=0x05
  • condition.fieldKey=FWPM_CONDITION_FLAGS
  • condition.matchType=FWP_MATCH_FLAGS_NONE_SET
  • condition.conditionValue.type=FWP_UINT32;
  • condition.conditionValue=FWP_CONDITION_FLAG_IS_LOOPBACK;

Example

The following example code obtains and prints the key field values of a Windows Filtering Platform (WFP) filter and the conditions defined by the filter. You can use the DumpFilter function from the example code in your application after you have tested a WFP filter and its conditions in the TCP stack. After you call the DumpFilter example function to obtain the filter’s key field values and its conditions, you can use the Windows Filtering Platform APIs to convert them to a format that can be stored in the registry as a Firewall Service rule.

This example code supports only simple filters and conditions and might not be compatible with filters that contain complex conditions.

Important

For readability, the following code example does not contain security checking or error handling. Do not use the following code in a production environment.

#include <windows.h>
#include <fwpmu.h>

#define CHR(x) if (FAILED(x)) { hr = x; goto Error; }
void DumpMemory(PBYTE pBuf, DWORD size)
{
    WCHAR buf[1024];

    buf[0] = L'\0';
    for (int i=0; i<size; ++i)
    {
        if ((i+1)%16==0)
        {
            wprintf(L"%s\n", buf);
            buf[0]= L'\0';
        }
     swprintf(buf, L"%s %x", buf, *(pBuf + i));
    }
    wprintf(L"%s\n", buf);
}

void DumpFilter(FWPM_FILTER0 *pFilter)
{
    HRESULT hr;
    LPOLESTR pStr;







    
    wprintf(L"Dump filter %s\n", pFilter->displayData.name);
    
    CHR(StringFromCLSID(pFilter->layerKey, &pStr));
    wprintf(L"\tlayerKey\t= %s\n", (LPCTSTR)pStr);
    CoTaskMemFree(pStr);
    
    wprintf(L"\tactionType\t= 0x%x\n", pFilter->action.type);
    
    CHR(StringFromCLSID(pFilter->action.calloutKey, &pStr));
    wprintf(L"\tactionCalloutKey\t= %s\n", (LPCTSTR)pStr);
    CoTaskMemFree(pStr);

    wprintf(L"\tweight\t= 0x%x\n", pFilter->weight.uint32);
    
    if (pFilter->numFilterConditions > 0)
    {
        for (int i=0; i<pFilter->numFilterConditions; ++i)
        {
            FWPM_FILTER_CONDITION0* pCondition = pFilter->filterCondition + i;
            wprintf(L"\tDump condition %d\n", i);
            
            CHR(StringFromCLSID(pCondition->fieldKey, &pStr));
            wprintf(L"\t\tfieldKey\t= %s\n", (LPCTSTR)pStr);
            CoTaskMemFree(pStr);

            wprintf(L"\t\tmatchType\t= 0x%x\n", pCondition->matchType);
            wprintf(L"\t\tconditionType\t= 0x%x\n", pCondition->conditionValue.type);
            switch (pCondition->conditionValue.type)
            {
                // None pointer types
                case FWP_UINT8:
                    {
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint8);
                        break;
                    }
                case FWP_UINT16:
                    {
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint16);
                        break;
                    }
                case FWP_UINT32:
                    {
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.uint32);
                        break;
                    }
                case FWP_INT8:
                    {
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int8);
                        break;
                    }
                case FWP_INT16:
                    {
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int16);
                        break;
                    }
                case FWP_INT32:
                    { 
                        wprintf(L"\t\tconditionType.value\t= %d\n", pCondition->conditionValue.int32);
                        break;
                    }
                case FWP_FLOAT:
                    { 
                        // Not used.
                        break;
                    }
                    // Treat others as pointer type
                default:
                    {
                        DWORD size = sizeof(FWP_V4_ADDR_AND_MASK);
                        DumpMemory((PBYTE)pCondition->conditionValue.byteBlob, size);
                        break;
                        break;
                    }
            } 
        }
    }
Error:
    return;
}

See Also

Reference

Firewall Service Registry Settings

Other Resources

Firewall Service
Windows Filtering Platform