Windows allow edge traversal

Rule groups can be used to organize rules by influence and allows batch rule modifications. Using the Set-NetFirewallRule cmdlet, if the group name is specified for a set of rules or sets, then all of the rules or sets in that group receive the same set of modifications. It is good practice to specify the Group parameter value with a universal and world-ready indirect FirewallAPI name.

This parameter cannot be specified upon object creation using the New-NetFirewallRule cmdlet, but can be modified using dot-notation and the Set-NetFirewallRule cmdlet. Specifies that only matching firewall rules of the indicated display name are enabled. Specifies the localized, user-facing name of the firewall rule being created. When creating a rule this parameter is required. This parameter value is locale-dependent. If the object is not modified, this parameter value may change in certain circumstances.

When writing scripts in multi-lingual environments, the Name parameter should be used instead, where the default value is a randomly assigned value.

This parameter cannot be set to All. Specifies that matching firewall rules of the indicated edge traversal policy are enabled. This parameter specifies how this firewall rule will handle edge traversal cases. Edge traversal allows the computer to accept unsolicited inbound packets that have passed through an edge device, such as a network address translation NAT router or firewall.

This option applies to inbound rules only. The default value is Block. Specifies that matching firewall rules of the indicated state are enabled. This parameter specifies that the rule object is administratively enabled or administratively enabled. The acceptable values for this parameter are:. This parameter specifies the source string for the DisplayGroup parameter.

If the DisplayGroup parameter value is a localizable string, then this parameter contains an indirect string. Using the Set-NetFirewallRule cmdlets, if the group name is specified for a set of rules or sets, then all of the rules or sets in that group receive the same set of modifications. It is good practice to specify this parameter value with a universal and world-ready indirect FirewallAPI name.

Indicates that matching firewall rules of the indicated value are enabled. This parameter specifies the firewall rules for local only mapping, which describes whether a packet must pass through a local address on the way to the destination.

Non-TCP traffic is session-less. Windows Firewall authorizes traffic per session, not per packet, for performance reasons. Generally, non-TCP sessions are inferred by checking the following fields: local address, remote address, protocol, local port, and remote port.

If this parameter is set to True, then the remote address and port will be ignored when inferring remote sessions. Sessions will be grouped based on local address, protocol, and local port. This is similar to the LooseSourceMapping parameter, but performs better in cases where the traffic does not need to be filtered by remote address. This could improve performance on heavy server workloads where UDP requests come from dynamic client ports.

For instance, Teredo relay servers. This parameter specifies the firewall rules for loose source mapping, which describes whether a packet can have a non-local source address when being forwarded to a destination. If this parameter is set to True, then the rule accepts packets incoming from a host other than the one the packets were sent to.

This parameter applies only to UDP protocol traffic. The default value is False. Specifies that only matching firewall rules of the indicated name are enabled. This parameter acts just like a file name, in that only one rule with a given name may exist in a policy store at a time. During group policy processing and policy merge, rules that have the same name but come from multiple stores being merged, will overwrite one another so that only one exists.

This overwriting behavior is desirable if the rules serve the same purpose. For instance, all of the firewall rules have specific names, so if an administrator can copy these rules to a GPO, and the rules will override the local versions on a local computer.

GPOs can have precedence. So if an administrator has a different or more specific rule with the same name in a higher-precedence GPO, then it overrides other rules that exist.

The default value is a randomly assigned value. When the defaults for main mode encryption need to overridden, specify the customized parameters and set this parameter, making it the new default setting for encryption.

Specifies that matching firewall rules of the indicated owner are enabled. This parameter specifies the owner of the firewall rule, represented as an SDDL string. All Windows Store applications that require network traffic create network isolation rules normally through installing via the Store , where the user that installed the application is the owner. This parameter specifies that only network packets that are authenticated as coming from or going to an owner identified in the list of accounts SID match this rule.

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output. Targets the policy store from which to retrieve the rules to be enabled. A policy store is a container for firewall and IPsec policy.

Those applications and services must have been designed in such a way that different users can be assigned different levels of authority, but that is a completely different story and will transpire after client requests make it through WF. Now create an inbound rule for yourself and call it Rule4U. You need unrestricted access; therefore, configure the rule to target all ports and protocols and all applications and services.

If the rule is just for you, add your user account to the list of authorized users on the Users tab in Windows Server R2 or on the Remote Users tab in Windows Server If appropriate, do both so that unrestricted access is allowed only to you and only from your workstation. Otherwise, you would not be able to select the option that allows you to specify authorized users or computers.

Next to this rule action setting on the General tab, there is a button named Customize. Click it, and take a look at the available options. Here you can specify the level of security required by this rule. In our example scenario, authentication alone will suffice. In other situations, you might decide to configure the rule to also require data integrity and, possibly, encryption. There is also an option that, if enabled, would cause this rule to override other rules that block connections allowed by this rule.

Normally, block rules that is, rules with the Block the connection action win any conflicts with allow rules that is, rules with the Allow the connection action. The Override block rules option can cause your rule to win conflicts with block rules. You do not need this option in our example scenario, because you are not going to create any block rules. For Rule4U to work, you should create a suitable connection security rule. The connection security rule should target all IP addresses, ports, and protocols and should specify appropriate authentication settings: whether to request or require authentication on inbound connections, whether to request or require authentication on outbound connections, or whether to allow unauthenticated connections.

Depending on the specific requirements, you can configure the rule to use only computer-level authentication, only user-level authentication, or both. The authentication can be performed by using Kerberos V5, NTLM v2, a certificate, or a preshared key only for computers. On your workstation, create a connection security rule that requests or requires computer and user authentication for inbound and outbound connections.

The two connection security rules—on Srv1 and on your workstation—should have at least one common method for computer authentication and at least one common method for user authentication. When you attempt to connect to Srv1 from your workstation, authentication will succeed and your connection request will then be analyzed against the existing inbound rules. When you attempt to communicate with other computers, those communications will occur normally because the connection security rule that you have created on your workstation targets only communications to or from Srv1.

If anyone attempts to access Srv1 from another computer and if there is no matching connection security rule on that computer, authentication will fail and Rule4U will not allow unauthenticated access. If there is a suitable connection security rule on the client computer, authentication will succeed, but Rule4U will not allow access from an unauthorized computer or by an unauthorized user.

When the packet travels thru the firewall the second time after decapsulation , it has an "this packet traversed the network edge" bit set such that only rules with the "edge traversal" bit also set will apply to the packet. Figure 4 of that patent application appears to describe the process graphically, and the "Detailed Descriptions" section beginning on page 7 describes the process in painfully specific detail.

This basically permits a host-based firewall to have different rules for traffic that came in via a tunnel thru the local network's firewall, as opposed to traffic that was just sent unencapsulated by a tunnel directly through the local network's firewall. I wonder if the iptables "mark" functionality would be prior art to this patent?

It certainly seems like it does a very similiar thing, albeit in an even more generic fashion since you can write user-land code to "mark" packets for virtually any reason if you want to.

An older post, but still worth adding to. It seems that in Windows Server , this item simply means "allow packets from other subnets". At least that is the behavior I have observed. The VPN connects the two routers, so as far as the Windows computers are concerned, it's simply traffic between two different private subnets. With the setting "Block Edge Traversal" Windows will not allow connections from the other subnet. Edge traversal occurs whenever you have a tunnel interface that goes to a less secure network, which is tunneled over another interface that is attached to a more secure network.

This means that the host is bypassing tunneling over one of the security boundaries set up by the local network administrator. In principle, 3rd party NAT traversing tunneling technologies could do so as well. The Edge Traversal option controls whether unsolicited traffic from Teredo and maybe other tunneling software is allowed. Sign up to join this community.

The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Ask Question. Asked 12 years, 1 month ago. Active 1 year, 11 months ago. Viewed 67k times. Improve this question. Django Reinhardt. Django Reinhardt Django Reinhardt 2, 3 3 gold badges 38 38 silver badges 55 55 bronze badges.