2.2.7.1 Main Mode Rule and the Main Mode Rule Grammar Rule
Main mode rules are stored under the Software\Policies\Microsoft\WindowsFirewall\MainModeRules key.
Each value under the key is a main mode rule. The type of the value MUST be REG_SZ. The data of each value is a string that can be parsed by the following grammar. This grammar represents a main mode rule as defined in [MS-FASP] section 2.2.85, except for the wszRuleId field of the FW_MM_RULE structure, which is instead represented by the name of the registry value.
-
MMRULE = "v" VERSION "|" 1*FIELD FIELD = TYPE-VALUE "|" TYPE-VALUE =/ "Profile=" PROFILE-VAL TYPE-VALUE =/ "Auth1Set=" STR-VAL TYPE-VALUE =/ "Crypto1Set=" STR-VAL TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "Name=" STR-VAL TYPE-VALUE =/ "Desc=" STR-VAL TYPE-VALUE =/ "EmbedCtxt=" STR-VAL TYPE-VALUE =/ "Active=" BOOL-VAL TYPE-VALUE =/ "Platform=" PLATFORM-VAL TYPE-VALUE =/ "SkipVer=" VERSION TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL STR-VAL = 1*ALPHANUM BOOL-VAL = "TRUE" / "FALSE"
Profile=: This token value represents the dwProfiles field of the FW_MM_RULE structure as defined in [MS-FASP] section 2.2.85. The PROFILE-VAL grammar rule represents a value content of such field. If this token appears several times in an MMRULE grammar rule, then all the contents represented by the PROFILE-VAL rule appearing next to them are included. If the "Profile=" token never appears in the rule string then it represents a value of FW_PROFILE_TYPE_ALL as defined in [MS-FASP] section 2.2.2.
EP1_4=: This token value represents the Endpoint1 field of the FW_MM_RULE structure, specifically the v4 fields, as defined in [MS-FASP] section 2.2.85. As such defined Endpoint1 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "EP1_4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP2_4=: This token value represents the Endpoint2 field of the FW_MM_RULE structure, specifically the v4 fields, as defined in [MS-FASP] section 2.2.85. As such defined Endpoint2 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "EP2_4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP1_6=: This token value represents the Endpoint1 field of the FW_MM_RULE structure, specifically the v6 fields, as defined in [MS-FASP] section 2.2.85. As such defined Endpoint1 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "EP1_6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP2_6=: This token value represents the Endpoint2 field of the FW_MM_RULE structure, specifically the v6 fields, as defined in [MS-FASP] section 2.2.85. As such defined Endpoint2 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "EP2_6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
Name=: This token represents the wszName field of the FW_MM_RULE structure as defined in [MS-FASP] section 2.2.85. The remaining token values in this list can be found in the same Protocol specification section. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Desc=: This token represents the wszDescription field of the FW_MM_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
EmbedCtxt=: This token represents the wszEmbeddedContext field of the FW_MM_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Active=: This token represents the FW_CS_RULE_FLAGS_ACTIVE flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_MM_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Active=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Platform=: This token value represents the PlatformValidityList field of the FW_MM_RULE structure. As such defined PlatformValidityList is of type FW_OS_PLATFORM_LIST, it contains a pPlatforms array of type FW_OS_PLATFORM. The PLATFORM-VAL grammar rule represents an entry in the pPlatforms field. If the "Platform=" token appears multiple times in the rule string, then all the respective PLATFORM-VAL grammar rules of such appearances are allowed.
SkipVer=: The VERSION grammar rule following this token represents the highest inherent version of the Firewall and Advanced Security components that can ignore this rule string completely. The inherent version of a Firewall and Advanced Security component is the highest version such component supports.
Platform2=: This token represents the operator to use on the last entry of the PlatformValidityList field of the FW_MM_RULE structure. Hence the PLATFORM-OP-VAL grammar rule represents the five most significant bits of the bPlatform field of the last FW_OS_PLATFORM structure entry (as defined in [MS-FASP] section 2.2.30) of the pPlatforms field of the FW_OS_PLATFORM_LIST structure as defined in [MS-FASP] section 2.2.31.
Auth1Set=: This token represents the wszPhase1AuthSet field of the FW_MM_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Crypto1Set=: This token represents the wszPhase1CryptoSet field of the FW_MM_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
The semantic checks described in [MS-FASP] section 2.2.85 are also applicable to the main mode rules described in this section after following the mapping in each of the preceding tokens.