Поделиться через


Default IP Firewall Rules (Windows CE 5.0)

Send Feedback

The file common.reg contains the default set of firewall rules that are required to provide security and interoperability. These rules are contained in the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules registry key. The following table shows the rules.

Security Note   Changing firewall rule settings may have security implications.

Name Description
SourcePrivate Default setting is the private subnet 192.168.0.1, mask 255.255.255.0.

This rule helps protect against a class of address faking, or spoofing, attacks. It blocks all inbound packets that have source address within the range of private subnet. If a different IP range is used for the private subnet, then you must change this address.

SourceBroadcast This rule helps protect against a class of address imitating attacks. It blocks all inbound packets that have the source address set to the broadcast address of 255.255.255.255.
SourceLoopback This rule help protect against a class of address imitating attacks. It blocks all inbound packets that have a source address set to the loopback address of 127.0.0.1.
DHCPUnicastResponse This rule allows the DHCP server response, UDP port 68. This rule is required to allow dynamic address configuration via DHCP.
BlockOutboundICMP This rule helps stop potential attackers from fingerprinting a protected network by sending a packet to cause specific ICMP error responses. This rule blocks outbound ICMP messages.
AllowICMP_ECHO_REQUEST This rule enables ping to work from a protected network and host. It allows an outbound ICMP_ECHO_REQUEST message, thus overriding the BlockOutboundICMP rule for this ICMP type.
6to4 This rule allows inbound IPv6 packets tunneled in IPv4 packets. This rule allows tunnel IPv6 protocols, like 6to4, to pass IPv4 firewall so that they can be filtered by IPv6 firewall.
RouterAdvertisementLink Allow inbound ICMPv6_ROUTER_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborSolicitLink This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT messages from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborSolicitSite This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_SOLICIT message from a site local address.
NeighborAdvertLink This rule allows inbound ICMPv6_NEIGHBOR_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborAdvertSite This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_ADVERT messages from a site local address.
BlockOutboundICMPv6 This rule blocks outbound ICMPv6 messages. This rule stops potential attackers from fingerprinting a protected network by sending a packet that will cause certain ICMP error responses.
AllowICMPv6_ECHO_REQUEST This rule allows outbound ICMPv6_ECHO_REQUEST message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type, and thus enables IPv6 ping to work from protected network/host.
AllowICMPv6_NEIGHBOR_SOLICIT This rule allows outbound ICMPv6_NEIGHBOR_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.
AllowICMPv6_ROUTER_SOLICIT This rule allows outbound ICMPv6_ROUTER_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.

When the Allow and Block rules are applied in conjunction, traffic flow is controlled as follows:

  • By default, Firewall blocks all inbound packets and allows all outbound packets.
  • For incoming traffic, all Block rules override the Allow rules. For outgoing traffic, all Allow rules override the Block rules.

Default behavior is applied to traffic that is not covered by the rules. When conflicting rules are applied, one of the rules overrides the other depending on whether it is incoming or outgoing traffic. Only the packets that match the overriding rule are filtered according to the rule. If the traffic does not match the overridden rule, it is processed according to the default behavior.

See Also

IP Firewall OS Design Development | IP Firewall Security | IP Firewall Registry Settings | IP Firewall Logging Registry Settings

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.