none
Windows firewall limits RRS feed

  • Question

  • Is anybody aware about Windows 2008 firewall limits like Max Number of Rules or Max Number of Remote Addresses?

    Did somebody expirienced any performance problem such might be related to huge rules number, etc?

    Thanks.

     

     

    Friday, March 19, 2010 7:19 PM

Answers

  • There is no limit to how many rules can be added(other than the cap of UINT64 for the filterId), nor how many conditions can be in each filter (other than the cap of a UINT32 for the numFilterConditions).  If you have this many filters / rules, or this many conditions, then you really need to re-think your filtering strategy...

    As you (significantly) increase the number of rules, you will start to see performance degredation.  This would be due to 1) searching through the rules to find matches, 2) performing different callouts' actions to get to a final filtering decision 3) enumerating all the rules.

    Some filters will perform slightly faster than other (filters that don't require a callout are faster than those that do, filters that don't have OR'd conditions are better performant, etc.)

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 19, 2010 7:45 PM
    Moderator

All replies

  • There is no limit to how many rules can be added(other than the cap of UINT64 for the filterId), nor how many conditions can be in each filter (other than the cap of a UINT32 for the numFilterConditions).  If you have this many filters / rules, or this many conditions, then you really need to re-think your filtering strategy...

    As you (significantly) increase the number of rules, you will start to see performance degredation.  This would be due to 1) searching through the rules to find matches, 2) performing different callouts' actions to get to a final filtering decision 3) enumerating all the rules.

    Some filters will perform slightly faster than other (filters that don't require a callout are faster than those that do, filters that don't have OR'd conditions are better performant, etc.)

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 19, 2010 7:45 PM
    Moderator
  • That's make perfect sense, thank you, Dusty.
    Friday, March 19, 2010 7:57 PM
  • When you say, "There is no limit to... how many conditions can be in each filter", does this include the number of remote addresses listed in the scope? I ask because I've read several places that there is a 1,000 address limit for the scope. And in practice, on a Windows Server 2012 R2 64 bit server I am finding that if I go much over 500 addresses, the rule fails to be created (using netsh firewall advfirewall from the command line). 

    There may be no theoretical limit, but there seems to be an actual limitation to the number of remote addresses that can be in the scope and have a rule created successfully.

    I ran into this issue creating rules to block connections from addresses assigned to Netherlands based ISPs. The majority of recent network probing appears to be coming from Netherlands addresses.  

    (Yes this is an old thread, but it's still sitting out here appearing to be relevant, so I'm asking)

    Wednesday, November 7, 2018 2:29 PM
  • For Windows Server 2008 or newer, 1000 is the limit, this guy is completely wrong. I did not read documentation to find this out, I tried to add 1001 remote ip addresses and it failed. Trying to add 1000 works fine.

    [url=http://forums.create.msdn.com/forums/t/97955.aspx]- Please Review - Math Asteroids -[/url]



    Wednesday, May 8, 2019 4:16 PM
  • Funny, did it on a 2016 server today - and hit the limit at somewhere less than 50... 

    A simple firewall rule, block a number of remote IP:s for all protocols that have been hammering the server via rdp and more.
    But no, not a good thing on 2016 as I found out. Maybe it's just me, but I think these rule options are not designed for it.  

    Win Firewall blocked access for rdp, http for all clients since I applied to to all profiles when I had reached a number significantly smaller than 1000...    

    So I switched to allowed addresses/ranges instead on my external fw and scrapped the Win fw rule.
    Rather protect at the perimeter instead of on the host in the LAN anyway.  

    I know, not good to allow rdp from the Internet but I need to allow a number of people to log on via rdp from different locations around the world and VPN is not a viable option in this case. 
    Monday, February 17, 2020 7:02 PM