Advanced Network Pack for Windows explained Part 2

Takuya Oikawa
Strategic Platform Group
Windows Division
Microsoft Product Development Limited



In addition to Teredo that I explained in part 1 of this article, Advanced Networking Pack for Windows XP has another feature that is attracting a lot of attention. This feature is Personal Firewall that can support IPv6. Part 2 of this article will focus on this IPv6-enabled Personal Firewall.


IPv6-enabled Internet Connection Firewall (ICF)

Windows ICF has Personal Firewall feature that allows basic access control during Internet connection. Previous versions of ICF supported only IPv4, but a version of ICF that comes as part of Advanced Networking Pack supports IPv6. IPv6 ICF by Advanced Networking Pack is not an upgrade of IPv4 version of ICF, but an independent component.

ICF has a basic stateful packet inspection feature, which keeps track of packet flows and dynamically decide whether to accept or drop the packet received from outside. It can also perform static packet filtering based on explicitly defined rules for actions to take when receiving the packet. In addition to TCP and UDP packets, ICF can also control ICMP messages.

Install of Advanced Networking Pack will automatically enable IPv6 ICF, and all the receiving ports on all network connections (network interfaces) will be blocked. However, if peer-to-peer function that is also included in Advanced Networking Pack is enabled, 3540/udp and 3587/tcp will be opened to the incomig traffic.

The IPv4 version of ICF is configured with GUI in [Network Connections] but the IPv6 version of ICF is configured using “netsh” command. However, the entire IPv6 ICF functions can be enabled or disabled in [Adding and removing programs] using GUI. After opening [Adding and removing programs], click on [Adding and removing Windows components] to start [Windows component wizard]. Then click on [details] of [network services]. IPv6 ICF can be enabled/disabled by checking/un-checking the checkbox for [IPv6 Internet connection firewall] (Figure 1).


Figure 1
Setting up IPv6 ICF as a network service.

To configure IPv6 ICF using “netsh” command, type “netsh” at command prompt to display “netsh>” prompt. Type “firewall” at this prompt to move to firewall context. The following three commands can be used in firewall context,

• [show| set] globalport: display/change port configuration (globalport) common to all adapters (network interface).
  
  
• [set|show] adapter: display/change parameters for each adapter (network interface).
  
  
• [show|set]logging: display/change log parameters.

Port configurations in ICF

Basic operation of ICF is the filtering of TCP and UDP packets and ICMP messages to decide whether to accept or drop them. Filtering of TCP and UDP packets are done through filtering of receiving ports. This filtering can be configured for “global port” common to all adapters, or for each adapter. ICMP messages can only be controlled at an individual adapter level, and it is not possible to control them for global port.

“show globalport” command displays the configuration of globalport. It produces an output similar to the following.

netsh firewall>show globalport Description OpenPort Protocol ---------------------------------------------- P2P (Grouping) 3587 TCP P2P (PNRP) 3540 UDP

znpenPortzÛÊndicates ports opened, and zorotocolzÛÊndicates allowed protocols.

globalport can be configured using zÅÆt globalzÛÄommand.

set globalport portnumber=enable|disable [name=name] [protocol=tcp|udp] Specify port number for TCP or UDP in “portnumber”, and enable/disable that port. name: specify arbitrary name for the configuration of globalport. protocol: specify either tcp or udp.

zÅÉow adapterzÛÄommand displays the configuration of each adapter. When used without parameters, list of adapters and whether IPv6 ICF is enabled or disabled for that adapter will be displayed as shown below. z`dapter Friendly NamezÛÊndicates the name of the adapter. zhPV6FilteringEnabledzÛÊndicates whether ICF is enabled or disabled for that adapter.

netsh firewall>show adapter ------------------------------------------------------------------- AdapterFriendlyName IPV6FilteringEnabled ------------------------------------------------------------------- Wireless Network Connection Yes Teredo Tunneling Pseudo-Interface Yes Local Area Connection Yes 6to4 Pseudo-Interface Yes Automatic Tunneling Pseudo-Interface Yes -------------------------------------------------------------------

zÅÉow adapterzÛÄommand can take an adapter name as its parameter. Adapter names used here will be those that are displayed as z`dapterFriendlyNamezÛØhen using zÅÉow adapterzÛÄommand without a parameter. Below is an example of using zÅÉow adapterzÛÄommand to confirm the configuration of zvireless Network ConnectionzŽ¬

netsh firewall>show adapter “Wireless Network Conenction” Description EffectivePort Protocol ------------------------------------------------------------------- P2P (Grouping) 3587 TCP P2P (PNRP) 3540 UDP Description OpenPort Protocol ------------------------------------------------------------------- Description IgnoredGlobalPort Protocol ------------------------------------------------------------------- Description ICMPTypeNo Enabled ------------------------------------------------------------------- Allow source address that can not be reached 1 No Allow oversize packets to be sent 2 No Allow send time to exceed the limit 3 No Allow problems regarding the send parameters 4 No Allow incoming echo request 128 Yes Allow redirect 137 No

“show adapter adaptername” command displays information regarding all the opened ports and its ICMP options. Ports that listed under “EffectivePort” are those that are actually opened. They include global ports common to all adapters and adapter specific ports. Ports listed under “OpenPort” are those that are opened to this particular adapter, and those listed under “IgnoredGlobalPort” are global ports that are ignored by this particular adapter. “Protocol” field displays either TCP or UDP.

For ICMP options, ICMP type number is displayed under “ICMPtypeNo”, and whether the reception of that ICMP message is enabled/disabled is indicated.

“set adapter” command, which defines port configuration for a particular adapter, take the following parameters.

set adapter adapter name [icmp type number|all=enable|disable] [port port number=enable|disable [name=name] [protocol=tcp|udp]] [ignoreglobalport port number=enable|disable [name=name] [protocol=tcp|udp]] [filtering=enable|disable] icmp: Control the ICMP message specified by one of the following two format. Specify whether that message is enabled or disabled. Type number: Specifies ICMP type number. Following six types can be specified: 1 (source address that are unreachable), 2 (sending packets that exceed the limit size), 3 (exceeding the send time), 4 (problems with send parameters), 128 (incoming echo request), 137 (redirect). all: All ICMP types that can be specified. port: Controls TCP and UDP ports. Specify the port number of the TCP or UDP port in portnumber, and indicate whether that port is enabled or disabled. name: specify arbitrary name to the configuration for port control. protocol: specify either tcp or udp. ignoreglobalport: Disable port control configured for global port. The configuration for global port disabled here will be ignored by the adapter specified in adapter name, and the adapter will not accept packets received from outside. “portnumber” specifies the port number for the TCP or UDP port. “enable” will make the adapter ignore the global port configuration, which makes the port drop the packet received from outside. “disable” will stop the adapter from ignoring the global port configuration and act according to the global port configuration. name: specify arbitrary name to the configuration for ignoring global port. protocol: specify tcp or udp. filtering: specify either “enable” or “disable”. Will enable or disable IPv6 ICF features for the adapter specified in “adaptername”.

Examples of port configuration in ICF

I have explained two commands “set globalport” and “set adapter” so far. In the following section we will take a look at some of the examples of configuring ports in ICF using these commands.

The following is an example of a command that opens 80/tcp as a global port. This command opens 80/tcp for all adapters. If HTTP service that supports IPv6 is running on Windows, this setting will allow access to the service from outside. This global port configuration has a name “http”, which will be used when displaying global ports by “show globalport” command.

netsh firewall>set globalport 80=enable name=http protocol=tcp

The next command configures the adapter so that it will ignore global port configuration only when Teredo is used. In this configuration, 80/tcp will not be opened for Teredo client, and the packet received from outside will be dropped. This configuration has a name zvebDisabledzŽª which will be used when displaying adapter configuration by zÅÉow adapterzÛÄommand.

netsh firewall>set adapter " Teredo Tunneling Pseudo-Interface" ignoreglobalport 80=enable name=WebDisabled protocol=tcp

Port configurations can be disabled using “disable” parameter. When the configuration is disabled, the configuration itself will be deleted. The next command shown below disables the configuration that ignores 80/tcp global port setting when Teredo is used (configured by the command example shown above). This command will allow Teredo users to access from outside using 80/tcp. However, as I explained before, when using Teredo, application itself must properly configure socket options and must be configured to receive packets from outside.

netsh firewall>set adapter " Teredo Tunneling Pseudo-Interface" ignoreglobalport 80=disable protocol=tcp

The following command deletes globalport configuration.

netsh firewall>set globalport 80=disable name=http protocol=tcp

The following two “set adapter” commands first enable 80/tcp only for “Wireless Network Connection” adapter and then delete that configuration.

netsh firewall>set adapter "Wireless Network Connection" port 80=enable name=http protocol=tcp netsh firewall>set adapter "Wireless Network Connection" port 80=disable protocol=tcp

logging features of ICF

ICF can be configured to keep the log of received packets and dropped packets. Log file takes W3C extended log file format. This file can be analyzed using general log analysis tools publicly available.

“set logging” command configures ICF log.

set logging [filelocation=filelocation] [filesize=size] [droppedpackets=enable|disable] [successfulconnections=enable|disable] filelocation: specify the location to save the log file. filesize: specify the maximum size of the log file. droppedpackets: specify whether to log dropped packets or not. Specify “enable” to log these packets, “disable” to turn off the log. successfulconnections: specify whether to log successful communications or not. Specify “enable” to log these communications, “disable” to turn off the log.

After the installment of Advanced Networking Pack, logging is disabled by default. It is recommended to enable the logging of dropped packets using the following command.

set logging droppedpackets=enable

“show logging” command displays log configuration for ICF. In the following example, you can see that the ICF is configured to log dropped packets only.

netsh firewall>show logging Log configuration of IPv6 Internet Connection Firewall Successful connection: Disabled Dropped packet: Enabled File location: C:\WINDOWS\pfirewall-v6.log File size: 4096 KB

Summary

In this article, I introduced basic features of Advanced Networking Pack that strengthen the IPv6 related functions in Windows. Teredo, a new tunneling feature that can achieve NAT traversal, and ICF, an IPv6-enabled personal firewall that provides protection from external intruders using IPv6, are both key components for promoting the use of IPv6. I hope this article helped you better understand the background behind these technologies and functions they can achieve. Unfortunately, complete description of these technologies was not possible in this article due to space constraints. For detailed information, please refer to the following references.

References

• KB817778: Overview of Advanced Networking Pack for Windows XP
  http://support.microsoft.com/default.aspx?scid=
  kb;en;817778
  
• The Cable Guy - April 2003 IPv6 Features in the Advanced Networking Pack for Windows XP
  http://www.microsoft.com/technet/treeview
  /default.asp?url=/technet/columns/cableguy/cg0403.asp
  
• To configure IPv6 Internet Connection Firewall
  http://www.microsoft.com/technet/treeview/
  default.asp?url=/technet/itsolutions/network
  /maintain/security/ipv6fw/hcfgv601.asp
  
• Teredo Overview
  http://www.microsoft.com/technet/treeview/
  default.asp?url=/technet/prodtechnol/winxppro
  /maintain/Teredo.asp
  
• Windows Peer-to-Peer Networking
  http://www.microsoft.com/windowsxp/p2p/
  
• Internet Draft “Teredo: Tunneling IPv6 over UDP through NATs”
  http://www.ietf.org/internet-drafts/draft-
  huitema-v6ops-teredo-00.txt