Best Practices for the IP Firewall

This topic shows best practices for when you configure and use the IP Firewall.

Ensure that the host stack supports firewall defense mechanisms.

The IP Firewall handles fragments in a manner that helps to prevent attacks on the private host stack. Do not add a rule to allow traffic to a host if the host's stack does not support these defense mechanisms. The following list shows these defense mechanisms:

  • If no rule allows traffic to the packet destination, the firewall blocks fragments to that destination.
  • If a fragment contains a transport layer header, the firewall drops the fragment.

Create a rule that you can enable and disable as needed.

To create a rule that you can enable and disable as needed, using FirewallCreateRule, create the rule in a disabled state and save the rule in the registry. To do this, include the FWF_DISABLED flag in the rule. Then, you can enable the rule when it is needed, and later disable it again, by calling FirewallGetRules, and then FirewallEnableRule.

Create a blocking rule if you want to disable ICMP.

The IP firewall allows inbound ICMPv4 and ICMPv6. This allows ICMP error messages to reach the private host in the event that an error occurs during delivery. The IP Firewall sets a rule to enable this error message feedback.

Although you can disable the ICMP messages, before doing so, you should consider the implications: Debugging is more difficult, and you cannot detect that a packet delivery error has occurred. This may result in the inability to use tools, such as Ping and Tracert, or in the inability to reach some remote hosts.

If you want to disable ICMP, you can create a blocking rule that drops inbound ICMP packets of a specific type, or that drops all inbound ICMP packets.

Allow IPSec inbound and outbound traffic on a gateway device.

By default, the firewall blocks IPSec traffic just like any other inbound traffic. You can configure the firewall to allow inbound IPSec traffic to specific private hosts or to all private hosts by allowing rules for IP_PROTOCOL_AH (51) and IP_PROTOCOL_ESP (50) protocols, and creating an ALLOW rule for the Internet Key Exchange (IKE) packets (UDP port 500).

Note   On a gateway device, you should allow IPSec inbound and outbound traffic, such as IKE, AH and ESP packets, by default.

For more information, see FW_RULE. For an example of how to set up rules on IPSec, see Firewall Rule Examples for the IPSec Protocol.

See Also

IP Firewall |IP Firewall Reference | Default IP Firewall Rules | Firewall Rule Examples

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.