2.2.2.19 Firewall Rule and the Firewall Rule Grammar Rule

Firewall rules are stored under the Software\Policies\Microsoft\WindowsFirewall\FirewallRules key.

Each value under the key is a firewall rule. The type of the value MUST be REG_SZ. The data of each value is a string that can be parsed by the following grammar. This grammar represents a firewall rule as defined in [MS-FASP] section 2.2.37, except for the wszRuleId field of the FW_RULE structure which is instead represented by the name of the registry value.

 RULE = "v" VERSION "|" 1*FIELD
  
 FIELD = TYPE_VALUE "|"
  
 TYPE-VALUE =  "Action=" ACTION-VAL
 TYPE-VALUE =/ "Dir=" DIR-VAL
 TYPE-VALUE =/ "Profile=" PROFILE-VAL
 TYPE-VALUE =/ "Protocol=" 1*3DIGIT                ; protocol is maximum 3 digits (255)
 TYPE-VALUE =/ "LPort=" ( PORT-VAL / LPORT-KEYWORD-VAL )
 TYPE-VALUE =/ "RPort=" PORT-VAL
 TYPE-VALUE =/ "LPort2_10=" ( PORT-RANGE-VAL / LPORT-KEYWORD-VAL-2-10 )
 TYPE-VALUE =/ "RPort2_10=" ( PORT-RANGE-VAL / RPORT-KEYWORD-VAL-2-10 )
 TYPE-VALUE =/ "Security=" IFSECURE-VAL
 TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL
 TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL 
 TYPE-VALUE =/ "IF=" IF-VAL
 TYPE-VALUE =/ "IFType=" IFTYPE-VAL
 TYPE-VALUE =/ "App=" APP-VAL
 TYPE-VALUE =/ "Svc=" SVC-VAL
 TYPE-VALUE =/ "LA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL )
 TYPE-VALUE =/ "RA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
 TYPE-VALUE =/ "LA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL )
 TYPE-VALUE =/ "RA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
 TYPE-VALUE =/ "Name=" STR-VAL
 TYPE-VALUE =/ "Desc=" STR-VAL
 TYPE-VALUE =/ "EmbedCtxt=" STR-VAL
 TYPE-VALUE =/ "Edge=" BOOL-VAL
 TYPE-VALUE =/ "Defer=" DEFER-VAL
 TYPE-VALUE =/ "LSM=" BOOL-VAL
 TYPE-VALUE =/ "Active=" BOOL-VAL
 TYPE-VALUE =/ "ICMP4=" ICMP-TYPE-CODE-VAL
 TYPE-VALUE =/ "ICMP6=" ICMP-TYPE-CODE-VAL
 TYPE-VALUE =/ "Platform=" PLATFORM-VAL
 TYPE-VALUE =/ "RMauth=" STR-VAL
 TYPE-VALUE =/ "RUAuth=" STR-VAL
 TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL
 TYPE-VALUE =/ "SkipVer=" VERSION
 TYPE-VALUE =/ "LOM=" BOOL-VAL
 TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL
 TYPE-VALUE =/ "PCross=" BOOL-VAL
 TYPE-VALUE =/ "LUAuth=" STR-VAL
 TYPE-VALUE =/ "RA42=" ADDRESS-KEYWORD-VAL-2-20
 TYPE-VALUE =/ "RA62=" ADDRESS-KEYWORD-VAL-2-20
 TYPE-VALUE =/ "LUOwn=" STR-VAL
 TYPE-VALUE =/ "AppPkgId=" STR-VAL
 TYPE-VALUE =/ "LPort2_20=" LPORT-KEYWORD-VAL-2-20
 TYPE-VALUE =/ "TTK=" TRUST-TUPLE-KEYWORD-VAL
 TYPE-VALUE =/ “TTK2_22=” TRUST-TUPLE-KEYWORD-VAL2-22
 TYPE-VALUE =/ “TTK2_27=” TRUST-TUPLE-KEYWORD-VAL2-27
 TYPE-VALUE =/ “TTK2_28=” TRUST-TUPLE-KEYWORD-VAL2-28
 TYPE-VALUE =/ "LUAuth2_24=" STR-VAL
 TYPE-VALUE =/ "NNm=" STR-ENC-VAL
 TYPE-VALUE =/ "SecurityRealmId=" STR-VAL
  
 VERSION = MAJOR-VER "." MINOR-VER
  
 MAJOR-VER = 1*3DIGIT
 MINOR-VER = 1*3DIGIT
  
 APP-VAL = 1*ALPHANUM
 SVC-VAL = "*" / 1*ALPHANUM
  
 STR-VAL = 1*ALPHANUM

MAJOR-VER: This grammar rule describes a decimal number that represents the high order 8 bits of the wSchemaVersion field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. Because of this, the decimal value of this number MUST NOT be greater than 255. The following grammar rules can also be found in the previously mentioned [MS-FASP] section 2.2.37.

MINOR-VER: This grammar rule describes a decimal number that represents the low order 8 bits of the wSchemaVersion field of the FW_RULE structure. Because of this, the decimal value of this number MUST NOT be greater than 255.

VERSION: This grammar rule describes a decimal value whose low 8 order bits are those described in the MINOR-VER grammar rule, and whose high 8 order bits are those described in the MAJOR-VER grammar rule.

Action=: This token value represents the Action field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. The ACTION-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string. The remaining token values in this list can be found in the same Protocol specification section except where noted.

Dir=: This token value represents the Direction field of the FW_RULE structure. The DIR-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string.

Profile=: This token value represents the dwProfiles field of the FW_RULE structure. The PROFILE-VAL grammar rule represents a value content of such field. If this token appears more than once in a RULE grammar rule, then all the contents represented by the PROFILE-VAL rule appearing next to them are included. If the Profile= token never appears in the rule string then it represents a value of FW_PROFILE_TYPE_ALL as defined in [MS-FASP] section 2.2.2.

Protocol=: This token value represents the wIpProtocol field of the FW_RULE structure. The 1*3DIGIT grammar rule represents the value content of this field. Such value MUST NOT be greater than 255. The Protocol token MUST appear at most once in a RULE grammar rule. If a Protocol token does not appear in the rule string, then the meaning is the same as a value of 256 in the wIpProtocol field in [MS-FASP] section 2.2.37.

LPort=: This token value represents the LocalPorts field of the FW_RULE structure. As such defined, LocalPorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT_VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort=: token appears multiple times in the rule string, then all the respective PORT-VAL rules and LPORT-KEYWORD-VAL rules of such appearances are allowed.

LPort2_10=: This token value represents the LocalPorts field of the FW_RULE structure. Similarly to the case of the "LPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL-2-10 grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and LPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.

RPort=: This token value represents the RemotePorts field of the FW_RULE structure. As such defined, RemotePorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT-VAL grammar rule represents an entry in the pPorts field. If the RPort token appears multiple times in the rule string, then all the PORT-VAL rule of such are allowed.

RPort2_10=: This token value represents the RemotePorts field of the FW_RULE structure. Similarly to the case of the "RPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The RPORT-KEYWORD-VAL-2-10 grammar rule however represents the wPortKeywords field of the RemotePorts field (which is of type FW_PORTS) of the FW_RULE structure. If the RPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and RPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.

Security=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string.

Security2_9=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x0209.

Security2=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A.

IF=: This token represents an entry in the LocalInterfaceIds field of the FW_RULE structure.

IFType=: This token represents the dwLocalInterfaceType field of the FW_RULE structure.

App=: This token represents the wszLocalApplication field of the FW_RULE structure. The grammar rule APP-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

Svc=: This token represents the wszLocalService field of the FW_RULE structure. The grammar rule SVC-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

LA4=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v4 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL and ADDRESSV4-SUBNET-VAL rules of such appearances are allowed.

RA4=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v4 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "RA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.

LA6=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v6 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL and ADDRESSV6-SUBNET-VAL rules of such appearances are allowed.

RA6=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v6 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "RA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.

Name=: This token represents the wszName field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

Desc=: This token represents the wszDescription field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

EmbedCtxt=: This token represents the wszEmbeddedContext field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

Edge=: This token represents the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Edge=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.

Defer=: This token represents the contents of the wFlags field of the FW_RULE structure on the position defined by the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_APP and FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_USER flag (as defined in [MS-FASP] section 2.2.35) The DEFER-VAL grammar rule represents the Boolean contents of such flag as defined in section 2.2.2.14. If the "Defer=" token does not appear in the rule then a Boolean value false is assumed for both flags. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A. This token MUST appear at most once in a rule string.

LSM=: This token represents the FW_RULE_FLAGS_LOOSE_SOURCE_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LSM=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.

Active=: This token represents the FW_RULE_FLAGS_ACTIVE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Active=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.

ICMP4=: This token value represents the V4TypeCodeList field of the FW_RULE structure. As such defined V4TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP4=" token appears multiple times in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.

ICMP6=: This token value represents the V6TypeCodeList field of the FW_RULE structure. As such defined V6TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP6=" token appears more than once in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.

Platform=: This token value represents the PlatformValidityList field of the FW_RULE structure. As such defined PlatformValidityList is of type FW_OS_PLATFORM_LIST, it contains a pPlatforms array of type FW_OS_PLATFORM. The PLATFORM-VAL grammar rule represents an entry in the pPlatforms field. If the "Platform=" token appears multiple times in the rule string, then all the respective PLATFORM-VAL grammar rules of such appearances are allowed.

RMAuth=: This token represents the wszRemoteMachineAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

RUAuth=: This token represents the wszRemoteUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.

AuthByPassOut=: This token represents the FW_RULE_FLAGS_AUTHENTICATE_BYPASS_OUTBOUND flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "AuthByPassOut=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.

SkipVer=: The VERSION grammar rule following this token represents the highest inherent version of the Firewall and Advanced Security components that can ignore this rule string completely. The inherent version of a Firewall and Advanced Security component is the highest version that component supports.

LOM=: This token represents the FW_RULE_FLAGS_LOCAL_ONLY_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LOM=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.

Platform2=: This token represents the operator to use on the last entry of the PlatformValidityList field of the FW_RULE structure. Hence the PLATFORM-OP-VAL grammar rule represents the five most significant bits of the bPlatform field of the last FW_OS_PLATFORM structure entry (as defined in [MS-FASP] section 2.2.30) of the pPlatforms field of the FW_OS_PLATFORM_LIST structure as defined in [MS-FASP] section 2.2.31.

PCROSS=: This token represents the FW_RULE_FLAGS_ALLOW_PROFILE_CROSSING flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "PCROSS=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.

LUAuth=: This token represents the wszLocalUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.

RA42=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwV4AddressKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV4AddressKeywords field. If the "RA42=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.

RA62=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwTrustTupleKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV6AddressKeywords field. If the "RA62=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.

LUOwn=: This token represents the wszLocalUserOwner field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.

AppPkgId=: This token represents the wszPackageId field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.

LPort2_20=: This token value represents the LocalPorts field of the FW_RULE structure, specifically the wPortKeywords field. The LPORT-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "LPort2_20=" token appears multiple times in the rule string, then all the respective LPORT-KEYWORD-VAL-2-20 rules of such appearances are allowed.

TTK=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL rules of such appearances are allowed.

LUAuth2_24=: This token value<3> represents the base64 encoded content of wszLocalUserAuthorizationList and it also adds the FW_RULE_FLAGS_LUA_CONDITIONAL_ACE flag on the wFlags field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). This token MUST appear only once in a rule string.

NNm=: This token value<4> represents the OnNetworkNames field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-ENC-VAL grammar rule represents an encoded string that represents the contents of such field. This token MUST appear only once in a rule string.

SecurityRealmId=: This token<5> represents the wszSecurityRealmId field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-VAL grammar rule represents a Unicode string that represents the contents of the field. This token MUST appear only once in a rule string.

TTK2_22=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-22 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_22=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-22 rules of such appearances are allowed.

TTK2_27=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-27 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_27=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-27 rules of such appearances are allowed.

TTK2_28=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-28 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_28=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-28 rules of such appearances are allowed.

The "LPort=" token MUST appear only if a "Protocol=" token has appeared before it on the rule string AND the value of the "Protocol=" token is either 6 (for TCP) or 17 (for UDP). The same applies to the "RPort=", "LPort2_10=" and "RPort2_10=" tokens. The "ICMP4=" and "ICMP6=" tokens MUST appear only if the "Protocol=" token has appeared before it on the rule string and expressed a value of 1 for "ICMP4=" or of 58 for "ICMP6=". The "LPort=", "RPort=", "LPort2_10=", and "RPort2_10=" tokens cannot appear in a rule string where a "ICMP4=" or a "ICMP6=" token appears and vice versa.

The semantic checks described in [MS-FASP] section 2.2.37 are also applicable to the firewall rules described in this section after following the mapping in each of the preceding tokens.