Firewall Rule Properties Page: Protocols and Ports Tab
Updated: January 20, 2009
Applies To: Windows 7, Windows Server 2008 R2
Use this tab to specify which protocols and ports in a network packet match this firewall rule.
To get to this tab
- In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Protocols and Ports tab.
Protocol type
Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, then select Custom, and type the protocol number in Protocol number. You can use any protocol number listed by the Internet Assigned Numbers Authority (IANA).
If you specify TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.
The following table provides a partial list of the protocols, their protocol numbers, and, where available, a brief description.
| Protocol | Number | Description |
|---|---|---|
Any |
Used so that rule settings will apply to any protocol, even if it is not in this list. |
|
Custom |
Used to specify a protocol by its protocol number. |
|
HOPOPT - IPv6 Hop-by-Hop Option |
0 |
Used to alert routers that an IP datagram contains control data that the router will need to handle. When this option is set in the header, the router performs additional parsing on the packets. (RFC 2711) |
ICMPv4 - Internet Control Message Protocol |
1 |
Used to send errors and other messages used to analyze networks. |
IGMP - Internet Group Management Protocol |
2 |
Used by IP hosts and multicast routers to establish and manage the membership of IP multicast groups. |
TCP - Transmission Control Protocol |
6 |
Provides a reliable, connection-oriented packet delivery service and is based on point-to-point communication between two network hosts. TCP guarantees delivery and verifies sequencing for any datagrams. |
UDP - User Datagram Protocol |
17 |
Provides fast, lightweight, unreliable transportation of data between TCP/IP hosts. Unlike TCP, UDP does not guarantee delivery or verify sequencing for any datagrams. |
IPv6 - Internet Protocol version 6 |
41 |
Improves on Internet Protocol version 4 (IPv4) by vastly increasing the number of available addresses and by enabling more efficient routing, simpler configuration, built-in IP security, better support for real-time data delivery, and more. |
IPv6-Route |
43 |
IPv6 routing header. |
IPv6-Frag |
44 |
IPv6 fragment header. |
GRE - Generic Routing Encapsulation |
47 |
Used to encapsulate a variety of generic network layer packets. The protocol is designed to be stateless. |
ICMPv6 - Internet Control Message Protocol for IPv6 |
58 |
Used to send errors and other messages used to analyze networks. |
IPv6NoNxt - No-Next-Header for IPv6 |
59 |
Used to communicate that there are no additional headers to process. |
IPv6Opts - Destination Options for IPv6 |
60 |
Used to indicate that the next header is the Destination Options header, which is used to specify processing or delivery parameters to either intermediate or final destinations. |
VRRP - Virtual Router Redundancy Protocol |
112 |
Used to increase the availability of the default gateway for hosts on a subnet. |
PGM - Pragmatic General Multicast protocol |
113 |
Used to improve the reliability of a data stream to multiple network recipients. |
L2TP - Layer 2 Tunneling Protocol |
115 |
Used to facilitate virtual private network (VPN) connections. |
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied.
The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule.
Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen.
RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming RPC requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send further network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests.
RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port.
Important
Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC dynamic ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program.
When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC.
IPHTTPS. Available for TCP only. Available under Local port for inbound rules. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports the embedding of Internet Protocol version 6 (IPv6) packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets. Teredo is an IPv4-to-IPv6 transition protocol.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied.
The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule.
Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen.
IPHTTPS. Available for TCP only. Available under Remote port for outbound rules. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
ICMP Settings
Click Customize to configure settings for Internet Control Message Protocol (ICMP). The Customize button is enabled only when you choose the ICMPv4 or ICMPv6 protocol types. For more information, see Dialog Box: Customize ICMP Settings.