Share via


Default IP Firewall Rules (Windows Embedded CE 6.0)

1/6/2010

The file common.reg contains the default set of firewall rules that are required to provide security and interoperability. These rules are contained in the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules registry key. The following table shows the rules.

Ee494291.security(en-US,WinEmbedded.60).gifSecurity Note:
Changing firewall rule settings may have security implications.
Name Description

SourcePrivate

Default setting is the private subnet 192.168.0.1, mask 255.255.255.0.

This rule helps protect against a class of address faking, or spoofing, attacks. It blocks all inbound packets that have source address within the range of private subnet. If a different IP range is used for the private subnet, then you must change this address.

SourceBroadcast

This rule helps protect against a class of address imitating attacks. It blocks all inbound packets that have the source address set to the broadcast address of 255.255.255.255.

SourceLoopback

This rule help protect against a class of address imitating attacks. It blocks all inbound packets that have a source address set to the loopback address of 127.0.0.1.

DHCPUnicastResponse

This rule allows the DHCP server response, UDP port 68. This rule is required to allow dynamic address configuration via DHCP.

BlockOutboundICMP

This rule helps stop potential attackers from fingerprinting a protected network by sending a packet to cause specific ICMP error responses. This rule blocks outbound ICMP messages.

AllowICMP_ECHO_REQUEST

This rule enables ping to work from a protected network and host. It allows an outbound ICMP_ECHO_REQUEST message, thus overriding the BlockOutboundICMP rule for this ICMP type.

6to4

This rule allows inbound IPv6 packets tunneled in IPv4 packets. This rule allows tunnel IPv6 protocols, like 6to4, to pass IPv4 firewall so that they can be filtered by IPv6 firewall.

RouterAdvertisementLink

Allow inbound ICMPv6_ROUTER_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack.

NeighborSolicitLink

This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT messages from a link local address. This rule is necessary for proper working of IPv6 stack.

NeighborSolicitSite

This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_SOLICIT message from a site local address.

NeighborAdvertLink

This rule allows inbound ICMPv6_NEIGHBOR_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack.

NeighborAdvertSite

This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_ADVERT messages from a site local address.

BlockOutboundICMPv6

This rule blocks outbound ICMPv6 messages. This rule stops potential attackers from fingerprinting a protected network by sending a packet that will cause certain ICMP error responses.

AllowICMPv6_ECHO_REQUEST

This rule allows outbound ICMPv6_ECHO_REQUEST message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type, and thus enables IPv6 ping to work from protected network/host.

AllowICMPv6_NEIGHBOR_SOLICIT

This rule allows outbound ICMPv6_NEIGHBOR_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.

AllowICMPv6_ROUTER_SOLICIT

This rule allows outbound ICMPv6_ROUTER_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack.

When the Allow and Block rules are applied in conjunction, traffic flow is controlled as follows:

  • By default, Firewall blocks all inbound packets and allows all outbound packets.
  • For incoming traffic, all Block rules override the Allow rules. For outgoing traffic, all Allow rules override the Block rules.

Default behavior is applied to traffic that is not covered by the rules. When conflicting rules are applied, one of the rules overrides the other depending on whether it is incoming or outgoing traffic. Only the packets that match the overriding rule are filtered according to the rule. If the traffic does not match the overridden rule, it is processed according to the default behavior.

See Also

Concepts

IP Firewall Application Development
IP Firewall OS Design Development
IP Firewall Security
IP Firewall Registry Settings
IP Firewall Logging Registry Settings