Share via


IP Firewall Registry Settings (Windows Embedded CE 6.0)

1/6/2010

The parameters for the TCP/IP firewall are located under the HKEY_LOCAL_MACHINE\Comm\Firewall registry key. The following table shows the registry values for the Firewall registry key.

Note

The default registry values vary depending on which Catalog items are included in your OS design. For more information, see Default Registry Settings.

Ee494503.security(en-US,WinEmbedded.60).gifSecurity Note:
Changing firewall registry settings may have security implications.
Value : type Description

TCPConnectionTimeout : REG_DWORD

Default setting is 86400 s, which is 24 hours. This value is the number of seconds before a temporary rule for a TCP connection times out. This is used for an established TCP connection that was initiated from the private side of a firewall.

TCPRuleTimeout : REG_DWORD

Default setting is 60 s. This value is the number of seconds before a temporary TCP rule times out if the connection has not been established.

UDPRuleTimeout : REG_DWORD

Default setting is 60 s. This value is the number of seconds before a temporary UDP rule times out if there is no matching UDP traffic.

ICMPRuleTimeout : REG_DWORD

Default setting is 30 s. This value is the number of seconds before a temporary ICMP rule times out if there is no matching ICMP traffic.

HousekeepingPeriod : REG_DWORD

Default setting is 30 s. This value is the number of seconds of the interval in which the firewall housekeeping routine is invoked. The housekeeping routine removes temporary rules that have expired.

HousekeepingThreadPriority256 : REG_DWORD

Default setting is 118. The valid range for this value is 0 through 255. This value is the priority of the thread that runs the housekeeping routine.

Ee494503.note(en-US,WinEmbedded.60).gifNote:
To ensure that the firewall always closes temporary rules, this thread should have a priority such that it cannot be preempted by events caused by the network.

DeleteHostsPeriod : REG_DWORD

Default setting is 1800 s, which is 30 minutes. This value is the number of seconds of the interval in which the housekeeping routine cleans structures associated with private hosts that no longer exist.

InterfacesNotFirewalled : REG_MULTI_SZ

There is no default setting. This value specifies the names of network adapters that should not be protected by the firewall.

If this value is not present, the firewall reads the list of interfaces that should not be protected by the firewall from the PrivateInterface value in the HKEY_LOCAL_MACHINE\COMM\ConnectionSharing\ registry entry. For more information, see Connection Sharing Registry Settings.

If this value is not present, and the PrivateInterface value is not present in the HKEY_LOCAL_MACHINE\COMM\ConnectionSharing registry key, then the firewall helps protect all network interfaces.

EnableIPV4 : REG_DWORD

Default setting is 1. This value, when not zero (0), indicates that the firewall is enabled for IPv4.

EnableIPv6 : REG_DWORD

Default setting is 1. This value, when not zero (0), indicates that the firewall is enabled for IPv6.

EnableNATIntegration : REG_DWORD

Default setting is 1. This value, when 1 (enabled), indicates that the firewall, by default, allows inbound packets that are translated by a NAT port mapping.

If this value is zero (0), the firewall blocks inbound packets translated by NAT unless a firewall rule allows such a packet.

Ee494503.note(en-US,WinEmbedded.60).gifNote:
Regardless of this setting, firewall blocking rules can block any packet, including packets translated by NAT.

The parameters for the IP firewall rules are located under the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\<Rule name> registry key. The following table shows the registry values for this key.

Value Description

Flags : REG_DWORD

There is no default. This value is required. For more information about firewall flags, see FW_RULE_FLAGS.

Mask : REG_DWORD

There is no default. This value is required. For more information about firewall masks, see FW_RULE_MASKS.

PrivateHost : Hex

There is no default. This value is the address that identifies a host on the private network. This value is required.

The following list shows examples:

  • "PrivateHost"=hex:02,00 indicates that the rules applies to all IPv4 hosts.
  • "PrivateHost"=hex:17,00 indicates that the rule applies to all IPv6 hosts.
  • "PrivateHost"=hex:02,00,00,00,C0,A8,00,02 indicates that the rule applies to address 192.168.0.2.

Description : REG_SZ

There is no default. This value is optional. It is a Unicode string that specifies the description of the rule.

PublicHost : Hex

There is no default. This value is optional. It specifies the IP address of the host on the public side of the firewall. The rule applies only to packets to or from this address.

PublicHostPrefix : REG_DWORD

There is no default. This value is optional. It is used together with PublicHost for IPv6 prefixes. It specifies the length of the address prefix that is specified in PublicHost. This value can be any whole number from 1 to 128.

For IPv6, it is used together with PublicHost.

The following list shows examples:

  • "PublicHost"=hex:17,00,00,00,fe,80
  • "PublicHostPrefix"=dword:10
    indicates that this rule is valid for public hosts with following prefix fe80::/16, which is any link local address.

PublicHostMask : REG_DWORD

There is no default. This value is optional. It specifies the subnet mask, and is used together with PublicHost for IPv4 addresses to specify rules for all addresses from a specific subnet.

Protocol : REG_DWORD

There is no default. This value is optional. It specifies that the rule is for a specific protocol. The following list shows examples of the values:

  • For TCP, "Protocol"=dword:6.
  • For UDP, "Protocol"=dword:11.
  • For ICMPv4, "Protocol"=dword:1.
  • For ICMPv6, "Protocol"=dword:3A.
  • For AH (IPSec), "Protocol"=dword:33.
  • For ESP (IPSec), "Protocol"=dword:32.

Action : REG_DWORD

There is no default. This value is optional. It is used for logging rules to specify whether to log packets that are blocked or packets that are allowed.

HourStart : REG_DWORD

There is no default. This value is optional. It specifies the time of day for the rule to become active, in 24-hour time. This value is used with HourEnd. The following list shows some examples:

  • If "HourStart"=dword:D, and "HourEnd"=dword:F, then the rule would be valid from 1 PM to 3 PM.
  • If "HourStart"=dword:11 and "HourEnd"=dword:9, then the rule would be valid from 5 PM to 9 AM.

HourEnd : REG_DWORD

There is no default. This value is optional. It specifies the time of day for the rule to become inactive, in 24-hour time. This value, used with HourStart.

DayOfWeek : REG_MULTI_SZ

There is no default. This value is optional. It indicates the days of the week on which the rule is active. FW_DAYS shows the possible values. These values can be used in combination.

Day : REG_DWORD

There is no default. This value is optional. It specifies the day of the month on which the rule is active. Values are whole numbers ranging from 1 through 31. Use this value with wMonth to specify a particular date on which to use the rule.

Month : REG_DWORD

There is no default. This value is optional. It specifies the month on which the rule is active. Values are whole numbers ranging from 1 through 12, where January = 1 and December = 12.

Port : REG_DWORD

There is no default This value is optional. It is used if both PortMin and PortMax are the same, and therefore the rule is for one specific port. Otherwise use PortMin and PortMax registry entries.

PortMin : REG_DWORD

There is no default. This value is optional. It specifies the lower end of the port range for which the rule applies for TCP or UDP packets. PortMin must be equal or lesser than PortMax. It is used only for TCP and UDP packets.

PortMax : REG_DWORD

There is no default. This value is optional. It specifies the upper end of the port range for which the rule applies for TCP or UDP packets. PortMax must be greater or equal to PortMin. It is used only for TCP and UDP packets.

Type : REG_DWORD

There is no default. This value is optional. It indicates that the rule applies only to ICMP packets of specified type.

Code : REG_DWORD

There is no default. This value is optional. It indicates that the rule applies only to ICMP packets with the specified code.

See Also

Concepts

IP Firewall OS Design Development
IP Firewall Security
TCP/IP Registry Settings
IP Firewall Logging Registry Settings

Other Resources

Firewall