Default IP Firewall Rules

The file common.reg contains the default set of firewall rules that are required to provide security and interoperability. These rules are contained in the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules registry key. The following table shows the rules.

Security Note   Changing firewall rule settings may have security implications.

Name Description
SourcePrivate Default setting is the private subnet 192.168.0.1, mask 255.255.255.0.

This rule protects against a class of address faking, or spoofing, attacks. It blocks all inbound packets that have source address within the range of private subnet. If a different IP range is used for the private subnet, then you must change this address.

SourceBroadcast This rule protects against a class of address imitating attacks. It blocks all inbound packets that have the source address set to the broadcast address of 255.255.255.255.
SourceLoopback This rule protects against a class of address imitating attacks. It blocks all inbound packets that have a source address set to the loopback address of 127.0.0.1.
DHCPUnicastResponse This rule allows the DHCP server response, UDP port 68. This rule is required to allow dynamic address configuration via DHCP.
BlockOutboundICMP This rule stops potential attackers from fingerprinting a protected network by sending a packet to cause specific ICMP error responses. This rule blocks outbound ICMP messages.
AllowICMP_ECHO_REQUEST This rule enables ping to work from a protected network and host. It allows an outbound ICMP_ECHO_REQUEST message, thus overriding the BlockOutboundICMP rule for this ICMP type.
6to4 This rule allows inbound IPv6 packets tunneled in IPv4 packets. This rule allows tunnel IPv6 protocols, like 6to4, to pass IPv4 firewall so that they can be filtered by IPv6 firewall.
RouterAdvertisementLink Allow inbound ICMPv6_ROUTER_ADVERT message from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborSolicitLink This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT message from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborSolicitSite This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT message from a site local address. This rule is necessary for proper working of IPv6 stack.
NeighborAdvertLink This rule allows inbound ICMPv6_NEIGHBOR_ADVERT message from a link local address. This rule is necessary for proper working of IPv6 stack.
NeighborAdvertSite This rule allows inbound ICMPv6_NEIGHBOR_ADVERT message from a site local address. This rule is necessary for proper working of IPv6 stack
BlockOutboundICMPv6 This rule blocks outbound ICMPv6 messages. This rule stops potential attackers from fingerprinting a protected network by sending a packet that will cause certain ICMP error responses.
AllowICMPv6_ECHO_REQUEST This rule allows outbound ICMPv6_ECHO_REQUEST message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type, and thus enables IPv6 ping to work from protected network/host.
AllowICMPv6_NEIGHBOR_SOLICIT This rule allows outbound ICMPv6_NEIGHBOR_SOLICIT message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.
AllowICMPv6_ROUTER_SOLICIT This rule allows outbound ICMPv6_ROUTER_SOLICIT message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.

See Also

IP Firewall | IP Firewall Registry Settings | IP Firewall Logging Registry Settings

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.