Understanding Firewall Rules
Updated: January 20, 2009
Applies To: Windows 7, Windows Server 2008 R2
You create firewall rules to allow this computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria:
Allow the connection.
Allow a connection only if it is secured through the use of Internet Protocol security (IPsec).
Block the connection.
Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specify the computers or users, program, service, or port and protocol. You can specify which type of network adapter the rule will be applied to: local area network (LAN), wireless, remote access, such as a virtual private network (VPN) connection, or all types. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used.
As your IT environment changes, you might have to change, create, disable, or delete rules.
In this topic:
Firewall rule priority
What is an inbound rule?
What is an outbound rule?
Firewall rule priority
Because you can make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed:
Authenticated bypass. These are rules in which the Override block rules option is selected. These rules allow matching network traffic that would otherwise be blocked. The network traffic must be authenticated by using a separate connection security rule. You can use these rules to permit access to the computer to authorized network administrators and authorized network troubleshooting devices. For more information, see Dialog Box: Customize Allow If Secure Settings
Block connection. These rules block all matching inbound network traffic.
Allow connection. These rules allow matching inbound network traffic. Because the default behavior is to block unsolicited inbound network traffic, you must create an allow rule to support any network program or service that must be able to accept inbound connections.
Default profile behavior. The default behavior is to block unsolicited inbound network traffic, but to allow all outbound network traffic. You can change the default behavior on the Domain Profile, Private Profile, and Public Profile tabs of the Windows Firewall with Advanced Security Properties dialog box.
As soon as a network packet matches a rule, that rule is applied, and processing stops. For example, an arriving network packet is first compared to the authenticated bypass rules. If it matches one, that rule is applied and processing stops. The packet is not compared to the block, allow, or default profile rules. If the packet does not match an authenticated bypass rule, then it is compared to the block rules. If it matches one, the packet is blocked, and processing stops, and so on.
What is an inbound rule?
Inbound rules explicitly allow, or explicitly block, inbound network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec. When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on TCP port 80.
You can also configure the default action that Windows Firewall with Advanced Security takes, whether connections are allowed or blocked, when no inbound rule applies.
What is an outbound rule?
Outbound rules explicitly allow, or explicitly block, network traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers. Because outbound traffic is allowed by default, you typically use outbound rules to block network traffic that you do not want.
You can also configure the default action that Windows Firewall with Advanced Security takes, whether outbound connections are allowed or blocked, when no outbound rule applies.