Windows Firewall doesn't filter routed IP traffic

by Mitch Tulloch [Published on 2 Feb. 2011 / Last Updated on 8 Dec. 2009]

Here's a tip to save you some frustration if you ever decide to configure a dual-NIC Windows Server computer as an IP router.

Here's a tip to save you some frustration if you ever decide to configure a dual-NIC Windows Server computer as an IP router. You would think that you could use Windows Firewall with Advanced Security to filter what types of traffic the router is allowed to forward and what types should be blocked. You might even think that if you assign a different network location type to each network interface card (NIC) on the router, for example Domain for one NIC and Public for the other, that you could even configure different filtering for traffic being forwarded in different directions between the two NICs.

Well, you're wrong. Windows Firewall with Advanced Security is a host-based firewall, and this means that it is only able to filter host-based traffic, that is, traffic to and from the host (computer). Windows Firewall with Advanced Security will not function as a router firewall. In other words, packets received at one NIC and forwarded to the other NIC will not be filtered by any firewall rules you have configured on the server.

Bottom line is, if you need a firewall product capable of filtering traffic as it is being routed between different NICs on the server, you need to install Microsoft Forefront Threat Management Gateway 2010.

If you have feedback concerning this tip, please email me. And be sure to check out my website!

Featured Links