Help: Understanding Windows Firewall scope options

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Understanding Windows Firewall scope options

When you configure a program or port exception, you can also configure the scope options for the exception. Scope options are used to define which computers are allowed to send traffic through an exception. You can access the scope options by pressing the Change Scope button in the Add a Port, Add a Program, Edit a Port, or Edit a Program dialog boxes. There are three scope options:

Any computer (including those on the Internet)

This setting allows traffic from any Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address through the exception. This setting might make your computer more accessible to malicious users or programs on the Internet.

My network (subnet) only

This setting allows traffic only from IPv4 or IPv6 addresses that can be reached directly by your computer. Windows Firewall determines whether the source IPv4 or IPv6 address of the incoming packet can be reached directly by querying the IPv4 and IPv6 routing tables. You can see all destinations that are considered directly reachable by typing the route print command at a command prompt. For the IPv4 routing table, all IPv4 addresses that match the routes in which the IPv4 address of the Gateway column equals the IPv4 address of the Interface column are considered directly reachable. For the IPv6 routing table, all IPv6 addresses that match routes in which the Gateway column is set to On-link are considered directly reachable. Therefore, the set of directly reachable addresses depends on your networking configuration, as specified by the IPv4 and IPv6 configuration of LAN-based connections (such as Ethernet and 802.11 wireless), dial-up connections, and broadband Internet connections. In some Internet configurations, all destinations are considered directly reachable.

For example, for a computer that is only directly connected to a private home network, the set of directly reachable unicast addresses is confined to those that match the IPv4 network ID of the private subnet. If the network connection is configured with an IPv4 address of 192.168.0.99 with a subnet mask of 255.255.0.0, only traffic from IPv4 addresses in the range 192.168.0.0 to 192.168.255.255 is allowed.

In another example, for a computer that is directly connected to both a private home network and the Internet through a cable modem, the set of directly reachable unicast addresses are those that match either the network ID of the private subnet or the cable modem provider subnet. For example, if the private network connection is configured with an IPv4 address of 192.168.0.1 and a subnet mask of 255.255.0.0 and the cable modem connection is configured with an IPv4 address of 131.107.17.211 and a subnet mask of 255.255.255.0, traffic received by either network connection is allowed from IPv4 addresses in the ranges from 192.168.0.0 to 192.168.255.255 and from 131.107.17.0 to 131.107.17.255.

Custom list

This setting allows you to specify one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example custom list: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24

You cannot specify a custom list for IPv6 traffic.

Note

When you configure and enable an exception, you are instructing Windows Firewall to allow specific unsolicited incoming traffic sent from the specified scope (from any address, from an address that can be reached directly, or from a custom list). For any scope, enabling an exception makes the computer accessible to attacks based on incoming unsolicited traffic from computers that are assigned the allowed addresses and from malicious computers that spoof traffic. There is no way to prevent spoofed attacks from the Internet on connections assigned public IPv4 addresses except by disabling the exception. Therefore, you should try to configure scope options so that the number of computers that are allowed to send unsolicited traffic through an exception is kept to a minimum. This will reduce, but not eliminate, the likelihood of a spoof attack.

See Also

Concepts

Help: Windows Firewall overview
Help: Administering Windows Firewall
Help: Configure Exceptions and Notifications