Firewall Rule Properties - Protocols and Ports
Applies To: Windows Server 2008
Specifying Protocols and Ports
You can further refine the exception by specifying the protocol and ports to which the rule applies.
Protocol type and number
If you specified the Custom protocol type, you can specify a protocol by its protocol number. You can use any protocol number listed by the Internet Assigned Numbers Authority (IANA).
The following table provides a partial list of the protocols, their protocol numbers, and, where available, a brief description.
| Protocol (Protocol Number) | Description |
|---|---|
Any |
Used so that rule settings will apply to any protocol, even if it is not in the following list. |
Custom |
Used to specify a protocol by its protocol number. You can use any protocol number listed by IANA. |
HOPOPT - IPv6 Hop-by-Hop Option (0) |
Used to alert routers that an IP datagram contains control data that the router will need to handle. The router performs additional parsing on the packets with this option set in the header. (RFC 2711) |
ICMPv4 - Internet Control Message Protocol (1) |
Used to send errors and other messages used to analyze networks. |
IGMP - Intenet Group Management Protocol (2) |
Used by IP hosts and multicast routers to establish and to manage the membership of IP multicast groups. |
TCP - Transmission Control Protocol (6) |
Provides a reliable, connection-oriented packet delivery service and is based on point-to-point communication between two network hosts. TCP guarantees delivery and verifies sequencing for any datagrams. |
UDP - User Datagram Protocol (17) |
Provides fast, lightweight, unreliable transportation of data between TCP/IP hosts. Unlike TCP, UDP does not guarantee delivery or verify sequencing for any datagrams. |
IPv6 - Internet Protocol version 6 (Related protocol numbers: 0, 43, 44, 50, 51, 59, 60) |
Improves on Internet Protocol version 4 (IPv4) by vastly increasing the number of available addresses and by enabling more efficient routing, simpler configuration, built-in IP security, better support for real-time data delivery, and other essential enhancements. |
IPv6-Route (43) |
IPv6 routing header |
IPv6-Frag (44) |
IPv6 fragment header |
GRE - Generic Routing Encapsulation (47) |
Used to encapsulate a variety of generic network layer packets. The protocol is designed to be stateless. |
ICMPv6 - Internet Control Message Protocol for IPv6 (58) |
Used to send errors and other messages used to analyze networks. |
IPv6NoNxt - No-Next-Header for IPv6 (59) |
Used to communicate that there are no additional headers to process. |
IPv6Opts - Destination Options for IPv6 (60) |
Used to indicate that the next header is the Destination Options header, which is used to specify processing or delivery parameters to either intermediate or final destinations. |
VRRP - Virtual Router Redundancy Protocol (112) |
Used to increase the availability the default gateway for hosts on a subnet. |
PGM - Pragmatic General Multicast protocol (113) |
Used to improve the reliability of a data stream to multiple network recipients. |
L2TP - Layer 2 Tunneling Protocol (115) |
Used to facilitate virtual private network (VPN) connections. |
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied.
The following options are available for inbound rules:
RPC Endpoint Mapper. Selecting this option allows the local computer to receive incoming RPC requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send further network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests.
Dynamic RPC. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by the firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port.
Important
Creating rules to allow RPC network traffic by using these two options allows all RPC network traffic. The firewall cannot filter RPC traffic by the UUID of the destination program.
Note
These options are available only when creating an inbound rule; they do not apply to outbound rules.
When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied.
ICMP Settings
Click the Settings button to configure settings for Internet Control Message Protocol (ICMP). The Settings button is enabled when you choose the ICMPv4 or ICMPv6 protocol types.