Internet Protocol version 6 (IPv6) Internet Connection Firewall overview
IPv6 is a new networking protocol designed to eventually replace Internet Protocol version 4 (IPv4). IPv4 has been in existence since 1981 and is the standard for computer networking. IPv4 has proven to be robust, easily implemented, and interoperable, and has stood the test of scaling an internetwork to a global utility the size of today's Internet. This is a tribute to its initial design. However, due to the rapid expansion of the Internet, IPv4 addresses have become relatively scarce, forcing some organizations to use a network address translator (NAT) to map multiple private addresses to a single public IP address. IPv6 provides more IP addresses for global connectivity.
A firewall is provides a protective boundary between a computer or network and the outside world. The IPv6 Internet Connection Firewall (ICF) is software that is used to set restrictions on what type of incoming IPv6 traffic is allowed.
The IPv6 Internet Connection Firewall is separate from the existing Internet Connection Firewall in Windows XP with Service Pack 1. For more information about Internet Connection Firewall in Windows XP, see the Windows XP Help and Support Center.
Note
IPv6 Internet Connection Firewall is only provided with the Advanced Networking Pack for Windows XP, a free download for computers running Windows XP with Service Pack 1. For computers running Windows XP with Service Pack 2, IPv6 Internet Connection Firewall has been replaced with the new Windows Firewall. For more information about Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.
The following things apply to the IPv6 ICF:
IPv6 ICF automatically runs and filters on all network connections.
IPv6 ICF drops unsolicited inbound traffic and statefully monitors all outbound traffic. This is also called stateful filtering.
Windows XP only shows the IPv4 ICF configuration in the Network Connections folder. This includes the network connection icons and the Connections Properties dialog box. IPv6 ICF may appear disabled, but it is actually enabled, and is filtering IPv6 traffic.
If you have configured IPv6 ICMP options so that a connection can have different ICMP options between IPv4 and IPv6, only the IPv4 configured options appear in the Connections Properties dialog box.
IPv6 traffic is logged to a unique file
Communications that originate from a source outside the IPv6 ICF computer, such as the Internet, are dropped by the firewall. Rather than send you notifications about activity, ICF silently discards unsolicited communications, stopping common attempts to illegally gain access to your computer or network, such as port scanning. Such notifications could be frequent enough to become a distraction. Instead, IPv6 ICF creates a security log in which you can view the activity that is tracked by the firewall.
Ports can be configured to allow the ICF computer to accept unsolicited traffic from the Internet. For example, if you are hosting an IPv6-enabled Web server, you can configure IPv6 ICF to allow unsolicited IPv6 traffic to port 80 to be accepted for communications to the Web server.
The ICF logging feature provides a way to create a security log of firewall activity. ICF is capable of logging traffic that is permitted and traffic that is rejected. For example, incoming echo requests from the Internet, by default, are not allowed by the firewall. If ICMP Allow incoming echo request is not enabled, then the inbound request fails, and a log entry that notes the failed inbound attempt is generated.
Event logging is generated into the Extended Log File Format as established by the World Wide Web Consortium (W3C).
For more information about IPv4 Internet Connection Firewall and IPv6, see the Windows XP Help and Support Center.