TCP/IP Filtering

Windows 2000 includes support for TCP/IP filtering, a feature known as TCP/IP Security in Windows NT 4.0. TCP/IP filtering allows you to specify exactly which types of incoming IP traffic are processed for each IP interface. This feature is designed to isolate the traffic being processed by Internet and intranet servers in the absence of other TCP/IP filtering provided by Routing and Remote Access or other TCP/IP applications or services. TCP/IP filtering is disabled by default.

TCP/IP filtering can be enabled and disabled for all adapters through a single check box. This can help troubleshoot connectivity problems that might be related to filtering. Filters that are too restrictive might not allow expected kinds of connectivity. For example, if you specify a list of UDP ports and do not include UDP port 520, your computer will not receive Routing Information Protocol (RIP) announcements. This can impair the computer's ability to be a RIP router or a silent RIP host when using the RIP Listener service.

A packet is accepted for processing if it meets one of the following criteria:

  • The destination TCP port matches the list of TCP ports. By default, all TCP ports are permitted.

  • The destination UDP port matches the list of UDP ports. By default, all UDP ports are permitted.

  • The IP protocol matches the list of IP protocols. By default, all IP protocols are permitted.

  • It is an ICMP packet.
    You cannot filter ICMP traffic with TCP/IP filtering. If you need ICMP filtering, configure IP packet filters through Routing and Remote Access. For more information, see "Unicast IP Routing" in the Internetworking Guide .