Configuring Scope Settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you configure a program, port, or system service exception, you should also configure scope settings for the exception. Scope settings define from which addresses incoming traffic is allowed to originate, which defines the set of computers that are allowed to send traffic for an exception. There are three scope options:

Any computer (including those on the Internet)

This setting allows traffic from any Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address through the exception. This setting might make your computer more accessible to malicious users or programs on the Internet.

My network (subnet) only

This setting allows traffic only from IPv4 or IPv6 addresses that can be reached directly by your computer. Windows Firewall determines whether the source IPv4 or IPv6 address of the incoming packet can be reached directly by querying the IPv4 and IPv6 routing tables. You can see all destinations that are considered directly reachable by typing the route print command at a command prompt. For the IPv4 routing table, all IPv4 addresses that match the routes in which the IPv4 address of the Gateway column equals the IPv4 address of the Interface column are considered directly reachable. For the IPv6 routing table, all IPv6 addresses that match routes in which the Gateway column is set to On-link are considered directly reachable. Therefore, the set of directly reachable addresses depends on your networking configuration, as specified by the IPv4 and IPv6 configuration of LAN-based connections (such as Ethernet and 802.11 wireless), dial-up connections, and broadband Internet connections. In some Internet configurations, all destinations are considered directly reachable.

For example, for a computer that is directly connected to a private home network only, the set of directly reachable unicast addresses is confined to those that match the IPv4 network ID of the private subnet. If the network connection is configured with an IPv4 address of 192.168.0.99 with a subnet mask of 255.255.0.0, only traffic from IPv4 addresses in the range 192.168.0.0 to 192.168.255.255 is allowed.

In another example, for a computer that is directly connected to both a private home network and the Internet through a cable modem, the set of directly reachable unicast addresses are those that match either the network ID of the private subnet or the cable modem provider subnet. For example, if the private network connection is configured with an IPv4 address of 192.168.0.1 and a subnet mask of 255.255.0.0 and the cable modem connection is configured with an IPv4 address of 131.107.17.211 and a subnet mask of 255.255.255.0, traffic received by either network connection is allowed from IPv4 addresses in ranges from 192.168.0.0 to 192.168.255.255 and from 131.107.17.0 to 131.107.17.255.

Important

The use of the My network (subnet) only option can make your computer more accessible than you expect. Make sure that you clearly understand how this option restricts scope before you use it.

Custom list

This setting allows you to specify one or more IPv4 addresses or IPv4 address ranges separated by commas (with no spaces). IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example custom list: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24

You cannot specify a custom list for IPv6 traffic.

Important

When you configure and enable an exception, you are instructing Windows Firewall to allow specific unsolicited incoming traffic sent from the specified scope (from any address, from an address that can be reached directly, or from a custom list). For any scope, enabling an exception makes the computer accessible to attacks based on incoming unsolicited traffic from computers that are assigned the allowed addresses and from malicious computers that spoof traffic. There is no way to prevent spoofed attacks from the Internet on connections assigned public IPv4 addresses except to disable the exception. Therefore, you should try to configure scope options so that the number of computers that are allowed to send unsolicited traffic through an exception is kept to a minimum. This will reduce, but not eliminate, the likelihood of a spoof attack.

When to perform this task

You should perform this task whenever you add, enable, or edit an exception. You typically perform this procedure on an ongoing basis as your server configurations and server roles change and your network architecture changes.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, perform the following procedures:

Change the Scope of a Firewall Rule

See Also

Concepts

Known Issues for Managing Firewall Rules
Configuring Program Firewall Rules
Configuring Port Firewall Rules
Configuring System Service Firewall Rules
Configuring Firewall Rules for Specific Connections