Host Firewall

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Windows Firewall with Advanced Security includes a host-based firewall component that is a protective boundary for the local computer, which monitors and restricts information that travels between your computer and its attached networks or the Internet. It provides an important line of defense against someone who might try to access your computer without your permission.

In Windows Vista and later versions of Windows, both client and server, the host firewall in Windows Firewall with Advanced Security is turned on by default, with unsolicited inbound network traffic blocked, and all outbound traffic allowed. You can create rules to permit specific inbound connections if your computer hosts a service or program that must be able to receive inbound unsolicited network traffic. To control outbound network traffic you can create outbound block rules that prevent unwanted network traffic from being sent to the network. Alternatively, you can configure the default outbound behavior to block all traffic, and then create outbound allow rules that permit only that traffic that you configure in the rules.

How the host firewall works

Network traffic flowing in and out of your computer can be categorized as shown in the following diagram.

Network traffic consists of a packet or a stream of packets that are sent from a source port on one computer to a destination port on another computer. A port is just an integer value in the network packet that identifies the program on the sending or receiving end of the connection. Generally, only one program listens on a port at a time. To listen on a port, the program registers itself and the port numbers to which it must listen with the operating system. When a packet arrives at the local computer, the operating system examines the destination port number, and then provides the contents of the packet to the program registered to use that port. When using the TCP/IP protocol, a computer can receive network traffic addressed by using a specific transport protocol such as TCP or UDP, and on any one of the ports numbered from 1 to 65,535. Many of the lower numbered ports are reserved for well-known services, such as a Web server that uses Hyper Text Transport Protocol (HTTP) on TCP port 80, Telnet remote terminal services on TCP port 23, or Simple Mail Transfer Protocol (SMTP) on port 25.

Windows Firewall with Advanced Security works by examining the source and destination addresses, source and destination ports, and protocol numbers of a packet, and then comparing them to the rules that are defined by the administrator. When a rule matches a network packet then the action specified in the rule (to allow or block the packet) is taken. Windows Firewall with Advanced Security also lets you allow or block network packets based on whether they are protected by IPsec authentication or encryption.

For more information about host firewall functionality and the features of Windows Firewall with Advanced Security, see the Windows Firewall with Advanced Security Getting Started Guide in the Windows Server Technical Library at, and Windows Firewall on TechNet at

Next topic: Connection Security and IPsec