3

I installed an application which will auto create an inbound rule in my win7 firewall settings, I want to make this rule only accept local lan but not remote addresses, for example, if my local IP address is 10.10.1.3, I want this rule only accept 10.10.1.x addresses to make inbound connection, but deny other addresses including all Internet addresses

I tried to edit the auto created rule, in its "SCOPE" tab's remote address area, I tried to add 10.10.1.0/24 , after pressing OK button, it prompted me following info

error message from win7 firewall

I do not quite understand this info , can someone explain what this info means and How to reach my goal, Thanks!

UPDATE: 1. I have reposted error info in english ; 2. regard to what mentioned by grawity, I set Tab "User" of this rule like following

"User" Tab of the rule

Could someone give some suggestions, Thanks!

Update: previously I had no test environment, but yesterday I have tested fully and proved "Defer to application" and my setting totally reach my goal,thanks for all who gave suggestions!

Improve this question
3
  • I assume you're editing this tab. Can you check whether all such other tabs are empty?
    – grawity_u1686
    Commented Sep 24, 2018 at 5:25
  • Yes, I am editing "SCOPE" tab, but your posted image is different from me, I only have 7 Tabs(maybe you are running win8 or win10?), and my last Tab(Called User,but not remote User) maybe is your second image's tab?, it's empty
    – J1B
    Commented Sep 24, 2018 at 5:41
  • @grawity, sorry to disturb, I have checked what you mentioned , do you mean these tabs should be empty so that error will now occur? but in my situtaion, they are empty. could you please give some help,thanks!
    – J1B
    Commented Sep 27, 2018 at 3:48

1 Answer 1

Reset to default
2
+100

As the error message says, 'Defer to user' refers to the setting of Edge traversal in the Advanced tab :

image

This setting conflicts with Scope rules. You should set it to 'defer to application' in order to change the scope.

I include here an explanation for Edge traversal from the article MS Windows Tips and Tricks | 2.8.2. Windows Firewall – Part 2 :

There is also an obscure option named Edge traversal, which is, unfortunately, rather poorly documented. At first glance, it might appear that this option simply controls whether traffic that arrives from outside the computer’s LAN should be allowed or blocked; but that function is provided by the rule’s scope. The Edge traversal option exists only in inbound rules and is set to Block edge traversal by default. However, this setting does not cause any inbound traffic to be blocked just because the traffic passed through a firewall or network address translator (NAT) on its way to the local host. Instead, this option applies to only specific types of traffic that use encapsulation in order to successfully traverse a firewall or NAT. One example of a situation where the Edge traversal option matters is DirectAccess. If a DirectAccess client is located on a remote private network behind a NAT, the client uses a technology named Teredo to communicate with its corporate network over the Internet. Teredo encapsulates IPv6 inside IPv4 in such a way that it can pass through NATs. This DirectAccess client should be configured to allow unsolicited inbound traffic from management servers on the corporate network. The corresponding inbound rules should allow edge traversal.

Improve this answer
6
  • Thanks, seems if do not choose "defer to user", choose "defer to application" also works, no error prompts, I also want to ask if doing that meet my goals to allow only local lan inbound traffic?
    – J1B
    Commented Sep 28, 2018 at 8:35
  • Defer to User means that the user will receive a message and can allow traffic if he has sufficient privileges. Defer to Application means that application settings will determine whether traffic can pass through, which is probably exactly what you want.
    – harrymc
    Commented Sep 28, 2018 at 8:49
  • @J1B - If you determine that this adequately solves your problem, please mark the answer as accepted and I will award harrymc the bounty.
    – n8te
    Commented Sep 28, 2018 at 8:57
  • Thanks for all your help and notice, I have no test environment now, so I want to ask harrymc for more to make sure it works,I think probably the solution is correct, so now I have marked the answer
    – J1B
    Commented Sep 28, 2018 at 9:10
  • @harrymc , then If your first mentioned "'Allow edge traversal" can meet my goal too? what does that mean?
    – J1B
    Commented Sep 28, 2018 at 9:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .