Information Technology Reference
In-Depth Information
DstAddr
: Parameter whose value specifies the destination of the packets.
DstMask
: Parameter whose value specifies the subnet mask of the packets.
Proto
: Parameter whose value specifies the protocol type. Possible values are
Any
,
TCP
,
TCP-EST
(Established TCP), or
UDP
.
SrcPort
: Parameter whose value specifies the source port of the packet. This parameter is
required only if TCP, TCP-EST, or UDP were specified as the protocol type. Specify the
value as
0
to indicate any port.
DstPort
: Parameter whose value specifies the destination port of the packet. This param-
eter is required only if TCP, TCP-EST, or UDP were selected as the protocol type. Specify
the value as
0
to indicate any port.
Type
: Parameter whose value specifies the ICMP type of the data packet. Specify the value
as
255
to indicate any type.
Code
: Parameter whose value specifies the ICMP code of the data packet. Specify the value
as
255
to indicate any code.
For example, you can create an inbound filter applied to
Local Area Connection #2
that
inspects packets of any protocol type using the following command. The filter will inspect
packets from any source destined for the
169.254.0.0
network with a subnet of
255.255.0.0
.
> netsh routing ip add filter name="Local Area Connection #2" filtertype=input
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=169.254.0.0
dstmask=255.255.0.0 proto=any
How It Works
Network firewalls are critical to help protect any organization's infrastructure. Although routers,
including the Windows Server 2003 router that we are discussing in this chapter, support packet
filters (one of the basic features of a firewall), you should make a decision whether you want the
router to provide this functionality, or whether you want to offload this work to a full-featured
firewall such as Microsoft ISA Server or any number of products from other vendors.
The latest generation of firewalls supports stateful packet inspection, network address and
port translation, application filtering, virus and spyware protection, content filtering, VPN
management, and much, much more. Is this too much functionality for a single device to
handle? Only you can make that decision based on the power of the device and the anticipated
traffic. If appropriate, use a single device. If not, configure your protection in layers with
multiple devices.
See Also
Microsoft TechNet: “Packet Filtering” (
http://technet2.microsoft.com/WindowsServer/
en/Library/04025562-6f81-4272-a345-d694711c83b91033.mspx
). This article describes
packet filtering and also includes a list of ports and protocols used by common services.
Internet Assigned Numbers Authority (IANA): “Port Numbers” (
http://www.iana.org/
assignments/port-numbers
). This is an easy-to-use list that indicates what ports are used
by which services. This site is very convenient if you know that you want to enable a
packet filter for DNS (for example) but cannot remember what ports it uses.
