This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.
Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.
TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.
You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.
Click Start, point to Settings, click Control Panel, and then double-click Network and Dial-up Connections.
Right-click the interface on which you want to configure inbound access control, and then click Properties.
In the Components checked are used by this connectionbox, click Internet Protocol (TCP/IP), and then click Properties.
In the Internet Protocol (TCP/IP) Propertiesdialog box, click Advanced.
Click the Optionstab.
Click TCP/IP filtering, and then click Properties.
Select the Enable TCP/IP Filtering (All adapters)check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
There are three columns with the following labels:
TCP Ports UDP Ports IP Protocols
In each column, you must select either of the following options:
Permit All. If you want to permit all packets for TCP or UDP traffic, leave Permit Allactivated.
Permit Only. If you want to allow only selected TCP or UDP traffic, click Permit Only, click Add, and then type the appropriate port in the Add Filterdialog box.
If you want to block all UDP or TCP traffic, click Permit Only, but do not add any port numbers in the UDP Portsor TCP Portcolumn. You cannot block UDP or TCP traffic by selecting Permit Onlyfor IP Protocolsand excluding IP protocols 6 and 17.
Note that you cannot block ICMP messages, even if you select Permit Onlyin the IP Protocolscolumn and you do not include IP protocol 1.
TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.
Microsoft provides thirdparty contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this thirdparty contact information.