IP Firewall Registry Settings (Windows Embedded CE 6.0)
1/6/2010
The parameters for the TCP/IP firewall are located under the HKEY_LOCAL_MACHINE\Comm\Firewall registry key. The following table shows the registry values for the Firewall registry key.
Note
The default registry values vary depending on which Catalog items are included in your OS design. For more information, see Default Registry Settings.
Security Note: |
---|
Changing firewall registry settings may have security implications. |
Value : type | Description |
---|---|
TCPConnectionTimeout : REG_DWORD |
Default setting is 86400 s, which is 24 hours. This value is the number of seconds before a temporary rule for a TCP connection times out. This is used for an established TCP connection that was initiated from the private side of a firewall. |
TCPRuleTimeout : REG_DWORD |
Default setting is 60 s. This value is the number of seconds before a temporary TCP rule times out if the connection has not been established. |
UDPRuleTimeout : REG_DWORD |
Default setting is 60 s. This value is the number of seconds before a temporary UDP rule times out if there is no matching UDP traffic. |
ICMPRuleTimeout : REG_DWORD |
Default setting is 30 s. This value is the number of seconds before a temporary ICMP rule times out if there is no matching ICMP traffic. |
HousekeepingPeriod : REG_DWORD |
Default setting is 30 s. This value is the number of seconds of the interval in which the firewall housekeeping routine is invoked. The housekeeping routine removes temporary rules that have expired. |
HousekeepingThreadPriority256 : REG_DWORD |
Default setting is 118. The valid range for this value is 0 through 255. This value is the priority of the thread that runs the housekeeping routine.
Note:
To ensure that the firewall always closes temporary rules, this thread should have a priority such that it cannot be preempted by events caused by the network.
|
DeleteHostsPeriod : REG_DWORD |
Default setting is 1800 s, which is 30 minutes. This value is the number of seconds of the interval in which the housekeeping routine cleans structures associated with private hosts that no longer exist. |
InterfacesNotFirewalled : REG_MULTI_SZ |
There is no default setting. This value specifies the names of network adapters that should not be protected by the firewall. If this value is not present, the firewall reads the list of interfaces that should not be protected by the firewall from the PrivateInterface value in the HKEY_LOCAL_MACHINE\COMM\ConnectionSharing\ registry entry. For more information, see Connection Sharing Registry Settings. If this value is not present, and the PrivateInterface value is not present in the HKEY_LOCAL_MACHINE\COMM\ConnectionSharing registry key, then the firewall helps protect all network interfaces. |
EnableIPV4 : REG_DWORD |
Default setting is 1. This value, when not zero (0), indicates that the firewall is enabled for IPv4. |
EnableIPv6 : REG_DWORD |
Default setting is 1. This value, when not zero (0), indicates that the firewall is enabled for IPv6. |
EnableNATIntegration : REG_DWORD |
Default setting is 1. This value, when 1 (enabled), indicates that the firewall, by default, allows inbound packets that are translated by a NAT port mapping. If this value is zero (0), the firewall blocks inbound packets translated by NAT unless a firewall rule allows such a packet.
Note:
Regardless of this setting, firewall blocking rules can block any packet, including packets translated by NAT.
|
The parameters for the IP firewall rules are located under the HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\<Rule name> registry key. The following table shows the registry values for this key.
Value | Description |
---|---|
Flags : REG_DWORD |
There is no default. This value is required. For more information about firewall flags, see FW_RULE_FLAGS. |
Mask : REG_DWORD |
There is no default. This value is required. For more information about firewall masks, see FW_RULE_MASKS. |
PrivateHost : Hex |
There is no default. This value is the address that identifies a host on the private network. This value is required. The following list shows examples:
|
Description : REG_SZ |
There is no default. This value is optional. It is a Unicode string that specifies the description of the rule. |
PublicHost : Hex |
There is no default. This value is optional. It specifies the IP address of the host on the public side of the firewall. The rule applies only to packets to or from this address. |
PublicHostPrefix : REG_DWORD |
There is no default. This value is optional. It is used together with PublicHost for IPv6 prefixes. It specifies the length of the address prefix that is specified in PublicHost. This value can be any whole number from 1 to 128. For IPv6, it is used together with PublicHost. The following list shows examples:
|
PublicHostMask : REG_DWORD |
There is no default. This value is optional. It specifies the subnet mask, and is used together with PublicHost for IPv4 addresses to specify rules for all addresses from a specific subnet. |
Protocol : REG_DWORD |
There is no default. This value is optional. It specifies that the rule is for a specific protocol. The following list shows examples of the values:
|
Action : REG_DWORD |
There is no default. This value is optional. It is used for logging rules to specify whether to log packets that are blocked or packets that are allowed. |
HourStart : REG_DWORD |
There is no default. This value is optional. It specifies the time of day for the rule to become active, in 24-hour time. This value is used with HourEnd. The following list shows some examples:
|
HourEnd : REG_DWORD |
There is no default. This value is optional. It specifies the time of day for the rule to become inactive, in 24-hour time. This value, used with HourStart. |
DayOfWeek : REG_MULTI_SZ |
There is no default. This value is optional. It indicates the days of the week on which the rule is active. FW_DAYS shows the possible values. These values can be used in combination. |
Day : REG_DWORD |
There is no default. This value is optional. It specifies the day of the month on which the rule is active. Values are whole numbers ranging from 1 through 31. Use this value with wMonth to specify a particular date on which to use the rule. |
Month : REG_DWORD |
There is no default. This value is optional. It specifies the month on which the rule is active. Values are whole numbers ranging from 1 through 12, where January = 1 and December = 12. |
Port : REG_DWORD |
There is no default This value is optional. It is used if both PortMin and PortMax are the same, and therefore the rule is for one specific port. Otherwise use PortMin and PortMax registry entries. |
PortMin : REG_DWORD |
There is no default. This value is optional. It specifies the lower end of the port range for which the rule applies for TCP or UDP packets. PortMin must be equal or lesser than PortMax. It is used only for TCP and UDP packets. |
PortMax : REG_DWORD |
There is no default. This value is optional. It specifies the upper end of the port range for which the rule applies for TCP or UDP packets. PortMax must be greater or equal to PortMin. It is used only for TCP and UDP packets. |
Type : REG_DWORD |
There is no default. This value is optional. It indicates that the rule applies only to ICMP packets of specified type. |
Code : REG_DWORD |
There is no default. This value is optional. It indicates that the rule applies only to ICMP packets with the specified code. |
See Also
Concepts
IP Firewall OS Design Development
IP Firewall Security
TCP/IP Registry Settings
IP Firewall Logging Registry Settings