Restrict Outbound Traffic to Selected TCP Ports

The following table shows an example of how to create rules that permit outbound traffic only on ports 25 and 110. In this case, the rules permit Host2 to only send and receive e-mail. No other outbound traffic is allowed from Host2. In the following example, the IP address of Host2 is 192.168.0.101.

dwFlags PrivateHost Protocol Port
FWF_ALLOW | FWF_OUTBOUND Host2 address IP_PROTOCOL_TCP 25
FWF_ALLOW | FWF_OUTBOUND Host2 address IP_PROTOCOL_TCP 110
FWF_BLOCK | FWF_OUTBOUND Host2 address    

Registry entries for the rules

The following registry example shows the registry entries for this rule.

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowTCPOutboundPort25]
    "Mask"=dword:25         ; FWM_PRIVATE_HOST | FWM_PROTOCOL | FWM_PORT
    "Flags"=dword:12           ; FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00,00,00,C0,A8,00,65         ; 192.168.0.101
    "Protocol"=dword:6     ; IP_PROTOCOL_TCP
    "Port"=dword:19         ; 25

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowTCPOutboundPort110]
    "Mask"=dword:25         ; FWM_PRIVATE_HOST | FWM_PROTOCOL | FWM_PORT
    "Flags"=dword:12           ; FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00,00,00,C0,A8,00,65         ; 192.168.0.101
    "Protocol"=dword:6         ; IP_PROTOCOL_TCP
    "Port"=dword:6E         ; 110

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\BlockOutboundFromHost2]
    "Mask"=dword:1         ; FWM_PRIVATE_HOST
    "Flags"=dword:11         ; FWF_BLOCK | FWF_OUTBOUND
    "PrivateHost"=hex:02,00,00,00,C0,A8,00,65         ; 192.168.0.101

Code example to create the rules

The following code example shows this rule.

    FW_RULE AllowTCPOutboundPort25;
    SOCKADDR_STORAGE ssSaddr;
    int saddrsize=sizeof(ssSaddr);

    // The following fields must always be set.
    AllowTCPOutboundPort25.dwSize = sizeof(FW_RULE);
    AllowTCPOutboundPort25.dwFlags = FWF_ALLOW | FWF_OUTBOUND;
    AllowTCPOutboundPort25.dwMask = 0 // initialize mask to zero;
    AllowTCPOutboundPort25.PrivateHost.Family = AF_INET;
    AllowTCPOutboundPort25.wszDescription = L"Allow outbound TCP traffic on port 25";
    
    // Client IP.
    AllowTCPOutboundPort25.dwMask |= FWM_PRIVATE_HOST;
    WSAStringToAddress(_T("192.168.0.101"), AF_INET, NULL, (PSOCKADDR)&ssSaddr, &saddrsize);
    AllowTCPOutboundPort25.PrivateHost.AddressIPv4 = ((PSOCKADDR_IN)&ssSaddr)->sin_addr;

    // Protocol.
    AllowTCPOutboundPort25.dwMask |= FWM_PROTOCOL;
    AllowTCPOutboundPort25.Protocol = IP_PROTOCOL_TCP; // 6
    
    // Port.
    AllowTCPOutboundPort25.dwMask |= FWM_PORT;
    AllowTCPOutboundPort25.PortMin = 25;
    AllowTCPOutboundPort25.PortMax = 25;
    
    // Create a persistent rule.
    FirewallCreateRule(&AllowTCPOutboundPort25, TRUE); 

    FW_RULE AllowTCPOutboundPort110;

    // The following fields must always be set.
    AllowTCPOutboundPort110.dwSize = sizeof(FW_RULE);
    AllowTCPOutboundPort110.dwFlags = FWF_ALLOW | FWF_OUTBOUND;
    AllowTCPOutboundPort110.dwMask = 0 // initialize mask to zero;
    AllowTCPOutboundPort110.PrivateHost.Family = AF_INET;
    AllowTCPOutboundPort110.wszDescription = L"Allow outbound TCP traffic on port 110.";
    
    // Client IP.
    AllowTCPOutboundPort110.dwMask |= FWM_PRIVATE_HOST;
    AllowTCPOutboundPort110.PrivateHost.AddressIPv4 = ((PSOCKADDR_IN)&ssSaddr)->sin_addr; // 192.168.0.101

    // Protocol.
    AllowTCPOutboundPort110.dwMask |= FWM_PROTOCOL;
    AllowTCPOutboundPort110.Protocol = IP_PROTOCOL_TCP; // 6
    
    // Port.    
    AllowTCPOutboundPort110.dwMask |= FWM_PORT;
    AllowTCPOutboundPort110.PortMin = 110;
    AllowTCPOutboundPort110.PortMax = 110;

    // Create a persistent rule.
    FirewallCreateRule(&AllowTCPOutboundPort110, TRUE); 

    FW_RULE BlockOutboundFromHost2;

    // The following fields must always be set.
    BlockOutboundFromHost2.dwSize = sizeof(FW_RULE);
    BlockOutboundFromHost2.dwFlags = FWF_BLOCK | FWF_OUTBOUND;
    BlockOutboundFromHost2.dwMask = FWM_PRIVATE_HOST;
    BlockOutboundFromHost2.PrivateHost.Family = AF_INET;
    BlockOutboundFromHost2.wszDescription = L"Block Outbound Traffic From Host2";
    
    // Client IP.
    BlockOutboundFromHost2.PrivateHost.AddressIPv4= ((PSOCKADDR_IN)&ssSaddr)->sin_addr; //192.168.0.101

    // Create a persistent rule.
    FirewallCreateRule(&BlockOutboundFromHost2, TRUE); 

See Also

General Firewall Rule Examples | Default IP Firewall Rules | FW_RULE

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.