Default IP Firewall Rules (Windows Embedded CE 6.0)
1/6/2010
The file common.reg contains the default set of firewall rules that are required to provide security and interoperability. These rules are contained in the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules registry key. The following table shows the rules.
.gif "Ee494291.security(en-US,WinEmbedded.60).gif") Security Note: |
|---|
| Changing firewall rule settings may have security implications. |
| Name | Description |
|---|---|
SourcePrivate |
Default setting is the private subnet 192.168.0.1, mask 255.255.255.0. This rule helps protect against a class of address faking, or spoofing, attacks. It blocks all inbound packets that have source address within the range of private subnet. If a different IP range is used for the private subnet, then you must change this address. |
SourceBroadcast |
This rule helps protect against a class of address imitating attacks. It blocks all inbound packets that have the source address set to the broadcast address of 255.255.255.255. |
SourceLoopback |
This rule help protect against a class of address imitating attacks. It blocks all inbound packets that have a source address set to the loopback address of 127.0.0.1. |
DHCPUnicastResponse |
This rule allows the DHCP server response, UDP port 68. This rule is required to allow dynamic address configuration via DHCP. |
BlockOutboundICMP |
This rule helps stop potential attackers from fingerprinting a protected network by sending a packet to cause specific ICMP error responses. This rule blocks outbound ICMP messages. |
AllowICMP_ECHO_REQUEST |
This rule enables ping to work from a protected network and host. It allows an outbound ICMP_ECHO_REQUEST message, thus overriding the BlockOutboundICMP rule for this ICMP type. |
6to4 |
This rule allows inbound IPv6 packets tunneled in IPv4 packets. This rule allows tunnel IPv6 protocols, like 6to4, to pass IPv4 firewall so that they can be filtered by IPv6 firewall. |
RouterAdvertisementLink |
Allow inbound ICMPv6_ROUTER_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack. |
NeighborSolicitLink |
This rule allows inbound ICMPv6_NEIGHBOR_SOLICIT messages from a link local address. This rule is necessary for proper working of IPv6 stack. |
NeighborSolicitSite |
This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_SOLICIT message from a site local address. |
NeighborAdvertLink |
This rule allows inbound ICMPv6_NEIGHBOR_ADVERT messages from a link local address. This rule is necessary for proper working of IPv6 stack. |
NeighborAdvertSite |
This rule is no longer used. It allowed inbound ICMPv6_NEIGHBOR_ADVERT messages from a site local address. |
BlockOutboundICMPv6 |
This rule blocks outbound ICMPv6 messages. This rule stops potential attackers from fingerprinting a protected network by sending a packet that will cause certain ICMP error responses. |
AllowICMPv6_ECHO_REQUEST |
This rule allows outbound ICMPv6_ECHO_REQUEST message and overrides BlockOutboundICMPv6 rule for this ICMPv6 type, and thus enables IPv6 ping to work from protected network/host. |
AllowICMPv6_NEIGHBOR_SOLICIT |
This rule allows outbound ICMPv6_NEIGHBOR_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack. |
AllowICMPv6_ROUTER_SOLICIT |
This rule allows outbound ICMPv6_ROUTER_SOLICIT messages and overrides the BlockOutboundICMPv6 rule for this ICMPv6 type. This rule is necessary for proper working of IPv6 stack. |
When the Allow and Block rules are applied in conjunction, traffic flow is controlled as follows:
- By default, Firewall blocks all inbound packets and allows all outbound packets.
- For incoming traffic, all Block rules override the Allow rules. For outgoing traffic, all Allow rules override the Block rules.
Default behavior is applied to traffic that is not covered by the rules. When conflicting rules are applied, one of the rules overrides the other depending on whether it is incoming or outgoing traffic. Only the packets that match the overriding rule are filtered according to the rule. If the traffic does not match the overridden rule, it is processed according to the default behavior.
See Also
Concepts
IP Firewall Application Development
IP Firewall OS Design Development
IP Firewall Security
IP Firewall Registry Settings
IP Firewall Logging Registry Settings