Basic Firewall

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing your network with Basic Firewall

You can use Basic Firewall to help secure your network from unsolicited public network traffic, such as traffic sent from the Internet. People who send such traffic might be trying to access your network without your permission. You can enable Basic Firewall for any public interface, including one that also provides network address translation (NAT) for your network.

How Basic Firewall works

Basic Firewall is a stateful firewall, which combines dynamic packet filtering of network traffic with a set of static packet filters. Basic Firewall monitors traffic that travels through the interface for which Basic Firewall is enabled.

If the interface is configured for private network traffic only, Basic Firewall will route traffic among the computers on the private network only. Basic Firewall will route traffic between a private network and virtual private network (VPN) client computers. However, computers that are part of a private network will not be able to detect computers outside of the private network, and computers that are not part of the private network will not be able to detect computers that belong to the private network.

If the interface is configured for private network traffic and to provide NAT, each packet's source and destination addresses are recorded in a table. All traffic from the public network is compared to the entries in the table. Traffic from the public network can reach the private network only if the table contains an entry that shows that the communication exchange originated from within the private network. In this way, Basic Firewall prevents unsolicited traffic from a public network (such as the Internet) from reaching a private network.

For more information about packet filters and how they work, see Packet filtering. For information on configuring Basic Firewall, see Configure Basic Firewall for a public interface.

Considerations when using Basic Firewall

You do not need to use Basic Firewall if your network has other firewall software installed. Basic Firewall can provide protection only for public interfaces. You cannot enable Basic Firewall on a private interface. You must configure each instance of Basic Firewall individually to work correctly with all services and ports on that interface. For more information, see Network interfaces.

You can configure exceptions for certain types of traffic if Basic Firewall blocks traffic that your network should receive. For example, some programs, such as e-mail programs, might behave differently if Basic Firewall is enabled. For information on configuring exceptions, see Configure services and ports, Packet filtering, and Allow or deny ICMP messages.

You can further protect your private network by configuring static packet filters on private interfaces. Unlike Basic Firewall, static packet filters can be configured on private interfaces.

You can configure Basic Firewall when you configure and enable Routing and Remote Access or after Routing and Remote Access has been enabled. You cannot enable Internet Connection Firewall or Windows Firewall if Routing and Remote Access is configured and enabled. You cannot configure and enable Routing and Remote Access if Internet Connection Firewall or Windows Firewall is enabled. For more information about Windows Firewall, see Help: Windows Firewall.

Basic Firewall logging and settings

By default, Basic Firewall does not log an event when it discards unsolicited network traffic. Notifications of discarded traffic can be sent frequently enough to be a distraction to the network administrator. You can enable logging if you want to be notified when Basic Firewall discards traffic. For example, the default configuration of Basic Firewall does not allow echo requests sent from the Internet to reach a private network. If you enable logging and you do not allow echo requests to reach your network, the echo request fails, and a log entry that notes the failed attempt is generated. For more information, see Configure logging and Log details for a routing protocol.