Use this wizard page to specify which protocols and ports specified in a network packet match this firewall rule.

To get to this wizard page
  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule.

  2. On the Rule Type page, select either Port or Custom.

  3. Click Next through the wizard until you reach the Protocol and Ports page.

Protocol type

Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, select Custom, and then type the protocol number in Protocol number.

If you specify TCP or UDP, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.

For a list of the protocols, their protocol numbers, and a brief description, see Firewall Rule Properties Page: Protocol and Ports Tab (https://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.

Protocol number

When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for Protocol type, then type the protocol identification number in Protocol number.

Local port

If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied.

The following options are available for inbound rules:

  • All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule.

  • Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen.

  • RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming remote procedure call (RPC) requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send future network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests.

  • RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port.

    Important
    • Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC Dynamic Ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program.
    • When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC.
  • IPHTTPS. Available for TCP only. Available under Local port for inbound rules only. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports embedding Internet Protocol version 6 (IPv6) packets in Internet Protocol version 4 (IPv4) HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.

  • Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets.

Remote port

If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied.

The following options are available for inbound rules:

  • All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule.

  • Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen.

  • IPHTTPS. Available for TCP only. Available under Remote port for outbound rules only. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.

Internet Control Message Protocol (ICMP) Settings

If you want to create a rule that allows or blocks ICMP packets, in the Protocol type list, select ICMPv4 or ICMPv6, and then click Customize. Use the Customize ICMP Settings dialog box to configure the settings.

How to change these settings

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change these settings, use the Protocols and Ports tab.

Additional references


Table Of Contents