Compartilhar via


2.2.35 FW_RULE_FLAGS

This enumeration represents flags that can be specified in firewall rules of section 2.2.37.

 typedef  enum _tag_FW_RULE_FLAGS
 {
   FW_RULE_FLAGS_NONE = 0x0000,
   FW_RULE_FLAGS_ACTIVE = 0x0001,
   FW_RULE_FLAGS_AUTHENTICATE = 0x0002,
   FW_RULE_FLAGS_AUTHENTICATE_WITH_ENCRYPTION = 0x0004,
   FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE = 0x0008,
   FW_RULE_FLAGS_LOOSE_SOURCE_MAPPED = 0x0010,
   FW_RULE_FLAGS_MAX_V2_1 = 0x0020,
   FW_RULE_FLAGS_AUTH_WITH_NO_ENCAPSULATION = 0x0020,
   FW_RULE_FLAGS_MAX_V2_9 = 0x0040,
   FW_RULE_FLAGS_AUTH_WITH_ENC_NEGOTIATE = 0x0040,
   FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_DEFER_APP = 0x0080,
   FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_DEFER_USER = 0x0100,
   FW_RULE_FLAGS_AUTHENTICATE_BYPASS_OUTBOUND = 0x0200,
   FW_RULE_FLAGS_MAX_V2_10 = 0x0400,
   FW_RULE_FLAGS_ALLOW_PROFILE_CROSSING = 0x0400,
   FW_RULE_FLAGS_LOCAL_ONLY_MAPPED = 0x0800,
   FW_RULE_FLAGS_MAX_V2_20 = 0x1000,
   FW_RULE_FLAGS_LUA_CONDITIONAL_ACE = 0x1000,
   FW_RULE_FLAGS_BIND_TO_INTERFACE = 0x2000,
   FW_RULE_FLAGS_MAX = 0x4000,
 } FW_RULE_FLAGS;

FW_RULE_FLAGS_NONE:  This value means that none of the following flags are set. It is defined for simplicity in writing IDL definitions and code.

FW_RULE_FLAGS_ACTIVE:  The rule is enabled if this flag is set; otherwise, it is disabled.

FW_RULE_FLAGS_AUTHENTICATE:  This flag MUST be set only on rules that have the allow actions. If set, traffic that matches the rule is allowed only if it has been authenticated by IPsec; otherwise, traffic is blocked.

FW_RULE_FLAGS_AUTHENTICATE_WITH_ENCRYPTION:  This flag is similar to the FW_RULE_FLAGS_AUTHENTICATE flag; however, traffic MUST also be encrypted.

FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE:  This flag MUST be set only on inbound rules. This flag allows the matching traffic to traverse a NAT edge device and be allowed in the host computer.

FW_RULE_FLAGS_LOOSE_SOURCE_MAPPED:  This flag allows responses from a remote IP address that is different from the one to which the outbound matched traffic originally went.

FW_RULE_FLAGS_AUTH_WITH_NO_ENCAPSULATION:  This flag MUST be set only on rules that have the FW_RULE_FLAGS_AUTHENTICATE flag set. If set, traffic that matches the rule is allowed if IKE or AuthIP authentication was successful; however, this flag does not necessarily require that traffic be protected by IPsec encapsulations. For schema versions 0x0200 and 0x0201, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_AUTH_WITH_ENC_NEGOTIATE:  This flag MUST be set only on inbound rules that have the FW_RULE_FLAGS_AUTHENTICATE_WITH_ENCRYPTION flag set. If set and if the first packet that arrives is unencrypted but authenticated by IPsec, the packet is allowed, and an IKE or AuthIP negotiation is started to negotiate encryption settings and encrypt subsequent packets. [MS-AIPS] section 3.2.4 specifies negotiation initiation behavior for hosts that support both IKE and AuthIP negotiation. If the negotiation fails, the connection is dropped. For schema versions 0x0200 and 0x0201, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_DEFER_APP:  This flag MUST be set only on inbound rules. This flag allows the matching traffic to traverse a NAT edge device and be allowed in the host computer, if and only if a matching PortInUse object is found in the PortsInUse collection with NATTraversalRequested set to true (see section 3.1.1). For schema versions 0x0200 and 0x0201, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_DEFER_USER:  This flag MUST be set only on inbound rules. Whenever an application tries to listen for traffic that matches this rule, the operating system asks the administrator of the host whether it should allow this traffic to traverse the NAT. For schema versions 0x0200 and 0x0201, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_AUTHENTICATE_BYPASS_OUTBOUND:  This flag MUST be set only on outbound rules that have an allow action with either the FW_RULE_FLAGS_AUTHENTICATE or the FW_RULE_FLAGS_AUTHENTICATE_WITH_ENCRYPTION flag set. If set, this rule is evaluated before block rules, making it equivalent to a rule with an FW_RULE_ACTION_ALLOW_BYPASS, but for outbound. For schema versions 0x0200 and 0x0201, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_ALLOW_PROFILE_CROSSING:  This flag allows responses from a network with a different profile type than the network to which the outbound traffic was originally sent. This flag MUST be ignored on rules with an action of FW_RULE_ACTION_BLOCK. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_LOCAL_ONLY_MAPPED:  If this flag is set on a rule, the remote address and remote port conditions are ignored when determining whether a network traffic flow matches the rule. This flag MUST be ignored on rules with an action of FW_RULE_ACTION_BLOCK. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_MAX:  This value and values that exceed this value are not valid and MUST NOT be used. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0x4000.

FW_RULE_FLAGS_MAX_V2_1:  This value and values that exceed this value are not valid and MUST NOT be used by servers and clients with schema version 0x0201 and earlier. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0x0020.

FW_RULE_FLAGS_MAX_V2_9:  This value and values that exceed this value are not valid and MUST NOT be used by servers and clients with schema version 0x0209 and earlier. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0x0040.

FW_RULE_FLAGS_MAX_V2_10:  This value and values that exceed this value are not valid and MUST NOT be used by servers and clients with schema version 0x020A and earlier. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0x0400.

FW_RULE_FLAGS_MAX_V2_20:  This value and values that exceed this value are not valid and MUST NOT be used by servers and clients with schema version 0x0214 and earlier. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0x1000.

FW_RULE_FLAGS_LUA_CONDITIONAL_ACE:  This flag MUST be set if and only if the wszLocalUserAuthorizationList field of the FW_RULE2_24 structure (section 2.2.104) is to include conditional ACEs. For schema versions 0x0200, 0x0201, 0x020A, 0x0214, and 0x0216, this value is invalid and MUST NOT be used.

FW_RULE_FLAGS_BIND_TO_INTERFACE: This flag is not used.