IP Firewall

The IP firewall is typically used on an Internet gateway device. It can also be used as a host firewall. The firewall protects the device on which it runs and protects devices on the private side of the gateway. The firewall blocks IP traffic at the IP and transport layers.

This firewall uses rules to determine whether to block, allow, or log inbound or outbound traffic. Inbound traffic originates from a host on the public side of the firewall. Outbound traffic originates from either a host on the private side or the device that is running the firewall. The firewall implements stateful traversal for inbound traffic that was initiated from the private network.

The following illustration shows the public and private side of the firewall.

The following list shows the default settings for the firewall rules when no overriding registry entries are set:

  • Block all inbound traffic, including IPSec traffic, except when the firewall is running with NAT and the inbound packet has been translated by a NAT port mapping.
  • Allow all outbound traffic.

You can change the default settings by configuring the firewall. The common.reg file contains a number of default rules that override the default firewall state. For more information about the default firewall rules, see Default IP Firewall Rules.

You can enable or disable the firewall, create a new rule, change a rule, or disable a rule by using functions or registry keys.

Note   Disabled rules do not affect packet filtering or logging.

The following table shows some of the functions that perform each task.

Rule task Programming element
Enable or disable the firewall FirewallEnable
Create a new firewall rule FirewallCreateRule
Delete a rule FirewallDeleteRule
Get information about rules FirewallGetRules

For a list of all of the firewall functions, see IP Firewall Reference.

Code samples of the IP firewall and firewall log are located in the %_WINCEROOT%\Public\Common\Sdk\Samples\Firewall directory.

When a host on the private side of the firewall tries to contact a host on the public side, the IP Firewall enables some types of ICMP protocol packets. This allows ICMP error messages to reach the private host in the event that an error occurs during delivery, if for example, a packet is dropped or the destination is unreachable. The IP Firewall sets a rule to enable this error message feedback. The following table shows the ICMP types that the firewall allows inbound.

ICMP version ICMP types allowed
ICMPv4
  • ICMP_DEST_UNREACH
  • ICMP_PARAM_PROBLEM
  • ICMP_TIME_EXCEED, only as result of outbound UDP and ICMPv4
  • ICMP_ECHO_REPLY, only as the result of an outbound ICMP_ECHO_REQUEST
  • ICMP_ROUTER_REPLY, only as the result of outbound ICMP_ROUTER_REQUEST
  • ICMP_TIMESTAMP_REPLY, only as the result of an outbound ICMP_TIMESTAMP_REQUEST
  • ICMP_MASK_REPLY, only as the result of outbound ICMP_MASK_REQUEST
ICMPv6
  • ICMPv6_DESTINATION_UNREACHABLE
  • ICMPv6_PARAMETER_PROBLEM
  • ICMPv6_PACKET_TOO_BIG
  • ICMPv6_TIME_EXCEEDED, only as the result of an outbound UDP and ICMPv6 request
  • ICMPv6_ECHO_REPLY, only as the result of outbound ICMPv6_ECHO_REQUEST

Although you can disable the ICMP messages, before doing so, you should consider the security implications: Debugging is more difficult, and you cannot detect that a packet delivery error has occurred. This may result in the inability to use tools, such as Ping and Tracert, or in the inability to reach some remote hosts.

If you want to disable ICMP, you can create a blocking rule that drops inbound ICMP packets of a specific type, or that drops all inbound ICMP packets.

For information about the firewall and security, see TCP/IP Security.

See Also

TCP/IP | IP Firewall Registry Settings | IP Firewall Reference | IP Firewall Logging Reference

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.