Unicast IP Routing

Previous Topic Next Topic

Windows 2000 IP Packet Filtering

Windows 2000 IP packet filtering is based on exceptions. You can configure Windows 2000 to either pass all traffic except those disallowed by filters or to discard all traffic except those allowed by filters. For example, you might want to configure a filter to allow all traffic except Telnet traffic (TCP port 23). Or you might want to set up filters on a dedicated Web server to process only Web-based TCP traffic (TCP port 80).


note-icon

Note

The Windows 2000 Router does not allow the use of user-definable filters where a network administrator can create a filter based on any field of the IP, TCP, UDP or ICMP header. The Windows 2000 Router does not support filtering on any protocols other than IP, TCP, UDP, and ICMP.

Windows 2000 allows filtering on various fields in IP, TCP, UDP, and ICMP headers of incoming and outgoing packets.

IP Header

In the IP header, filters can be defined for the following fields:

IP Protocol   An identifier used to demultiplex the payload of an IP packet to an upper layer protocol. For example, TCP uses a Protocol of 6, UDP uses a Protocol of 17, and ICMP uses a Protocol of 1. When you select a protocol such as TCP, UDP, or ICMP in the IP Filters dialog box, the default values for those protocols are assumed. Windows 2000 allows you to type any value in the IP Protocol text box.

Source IP Address   The IP address of the source host, which can be configured with a subnet mask, allowing an entire range of IP addresses (corresponding to an IP network) to be specified with a single filter entry.

Destination IP Address   The IP address of the destination host which can be configured with a subnet mask, allowing an entire range of IP addresses (corresponding to an IP network) to be specified with a single filter entry.

TCP Header

In the TCP header, filters can be defined for two fields: the TCP Source Port field, used to identify the source process which is sending the TCP segment; and for the TCP Destination Port, used to identify the destination process for the TCP segment.


note-icon

Note

The Windows 2000 Router does not support the configuration of a range of TCP ports. For a range of TCP ports, a separate filter for each port in the range must be configured.

UDP Header

In the UDP header, filters can be defined for two fields: the UDP Source Port field, used to identify the source process which is sending the UDP message; and for the UDP Destination Port, used to identify the destination process for the UDP message.


note-icon

Note

The Windows 2000 Router does not support the configuration of a range of UDP ports. For a range of UDP ports, a separate filter for each port in the range must be configured.

ICMP Header

In the ICMP header, filters can be defined for two fields: the ICMP Type field, indicating the type of ICMP packet (such as Echo Request or Echo Reply); and for the ICMP Code field, indicating one of the possible multiple functions within a specified type. If there is only one function within a type, the Code field is set to 0.

Table 3.6 lists commonly used ICMP types and codes.

Table 3.6 Common ICMP Types and Codes

ICMP Type ICMP Code Use
0 0 Echo Reply
8 0 Echo Request
3 0 Destination Unreachable - Network Unreachable
3 1 Destination Unreachable - Host Unreachable
3 2 Destination Unreachable - Protocol Unreachable
3 3 Destination Unreachable - Port Unreachable
3 4 Destination Unreachable - Fragmentation Needed and Don't Fragment Flag set
4 0 Source Quench
5 1 Redirect - Redirected datagrams for the host
9 0 Router Advertisement
10 0 Router Solicitation
11 0 Time Exceeded - TTL expiration
11 1 Time Exceeded - Fragmentation Reassembly expiration
12 0 Parameter Problem


note-icon

Note

For a complete list of ICMP types and codes, see the link at http://windows.microsoft.com/windows2000/reskit/webresources.

© 1985-2000 Microsoft Corporation. All rights reserved.