The Windows Firewall restricts inbound communications by default, which is a great thing. Our machines are almost always connected to the internet these days, so we need to do all we can to keep the bad guys out. What this means in practice, however, is that often when you have a legitimate need to make a remote connection of some sort to a laptop, server, or whatever, it will be denied by default. Sometimes, the firewall plugs in rules automatically. For example, when you enable RDP on a Windows Server, it automatically plugs an Inbound Rule into WFAS on that server to allow incoming port 3389 traffic, because Windows knows that it will be necessary to make successful RDP connections to your server.
Other times, WFAS is not intelligent enough to make these decisions, and we need to manually input rules in order to make things happen. Let's work together to push out a rule that allows some incoming traffic. For our example today, we are going to create a rule that applies to our client machines which allows ICMPv4. ICMP is the traffic that happens when you try to ping an IP address. IT folks are used to pinging resources to figure out whether they are online, or whether a particular IP address is in use on the network. These days, you cannot always rely on a ping reply to tell you whether something is actually sitting on that IP address. As you can see in the following screenshot, I am logged into my DC1 server and from here I am attempting to ping LAPTOP1. My LAPTOP1 machine is online and working on the network, and you can see that my ping command does resolve LAPTOP1 to the proper IP address, but the pings are timing out:
It appears LAPTOP1 is offline, but it is actually up and running right now. This happens because WFAS does not allow pings (ICMPv4) by default. Let's use a GPO to change that behavior, because I like to ping stuff!
I am going to edit the same GPO that I used to enforce that my Firewall was turned on. Navigate to the following location:
Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules
Here you will see a lot of blank space. Right-click in this blank space, and choose to create a New Rule...
On the Rule Type screen, you decide what kind of a rule to build. Here is a quick summary of these types:
- Program: Use this to apply a firewall rule to a particular application on the system. I almost never use this option.
- Port: Definitely the most common option used personally, selecting Port here allows you to define which ports the rule that we are creating will allow or deny.
- Predefined: This is a list of all kinds of services inside Windows that have predefined port numbers or ranges. If you want to allow something to work, but are not sure what ports or functionality that resource requires, browse this list to see whether there is a predefined entry for it. I tend not to trust the predefined entries, I would rather make a more specific rule that is applying only to the ports or protocols that I tell it to.
- Custom: If any of the other three do not fit the bill, choose Custom. This is the case for my ICMPv4 rule, as I do not see that as an option inside any of the other locations. So I will choose Custom and click Next.
You now have another chance to apply this rule only to particular programs. I want my rule to apply to the entire system, so I will leave it marked for All programs, and click Next again.
Now for the fun part, deciding what kind of traffic this rule applies to on the Protocol and Ports screen. The default option is Any, make sure you change that dropdown to be your desired item. If you were to create an Any rule, you could suddenly allow all incoming traffic on all of your workstations! I want to enable inbound ICMPv4, and so I make that selection from inside the Protocol type menu:
Moving on to the Scope step, we are going to click Next to accept the defaults. I want my ICMPv4 rule to allow ping replies from any machine. We will later utilize the Scope screen in more depth, when we create an outbound rule.
Action is pretty self-explanatory, we are creating a rule that allows this ICMP traffic and so we need to Allow the connection.
Profile are those three firewall profiles listed once again! When you create firewall rules, whether inbound or outbound, you can choose to apply these rules to one, two, or all three of the firewall profiles. If you had a need to allow certain things while computers are sitting inside the corporate network, you could apply those rules to only the Domain profile.
However, if you wanted a more locked-down experience when those machines (maybe laptops) move outside of the corporate network, then the firewall would apply either the Private or Public profiles, and perhaps you have a different set of firewall rules that takes over when that distinction is made. I do not want my machine responding to pings when it is sitting at a user's house or in their local coffee shop, only when it's inside my LAN. So I am going to select only the Domain profile here:
Finally, make up a Name for your new WFAS rule, and this new rule is now sitting inside our GPO, ready to be assigned to client computers. After waiting a few minutes for this new setting to roll down to LAPTOP1, if I open WF.MSC on that machine and look inside the Inbound Rules, I can see that my new firewall rule successfully came down from the GPO and added it in at the top of my rules list (again, the remaining rules sitting inside this folder are the default rules that ship with Windows):
Once inside the Inbound Rules folder, that ICMPv4 allow rule should take immediate effect. Logging back into DC1, I can now successfully ping LAPTOP1: