Required Firewall Exceptions for Teredo - Win32 apps (2024)

For an application to receive Teredo traffic, the application must be permitted to receive IPv6 traffic in the host firewall, and the application is required to set the socket option IPV6_PROTECTION_LEVEL to 'PROTECTION_LEVEL_UNRESTRICTED'. To enable this type of scenario, the firewall exceptions detailed in this document must be implemented.

The following firewall configurations are required to ensure smooth interoperation between a firewall and Teredo:

• The client firewall must allow resolution of teredo.ipv6.microsoft.com.

• UDP Port 3544 must be open to ensure that Teredo clients can successfully communicate with the Teredo server.

  See Also

  STEP 13 Test DirectAccess Connectivity from Behind a NAT DeviceViewing hidden devices - Windows drivers[SOLVED] Teredo is unable to qualify - Driver EasyDoes Teredo present security risks to the enterprise? | TechTarget

• The firewall must retrieve dynamic UDP ports used by Teredo service on the local machine by calling the FwpmSystemPortsGet0 function; relevant ports are of type FWPM_SYSTEM_PORT_TEREDO. The FwpmSystemPortsGet0 function should be implemented in place of the now deprecated GetTeredoPort or NotifyTeredoPortChange functions.

• The firewall permits the system to send and receive UDP/IPv4 packets to UDP port 1900 on the local subnet as this allows UPnP discovery traffic to flow and has the potential to improve connectivity rates.

  Note

  If this condition is not met, the potential for scenarios to encounter compatibility issues involving communication between certain NAT types is introduced; specifically between Symmetric NATs and Restricted NATs. While Symmetric NATs are popular in hotspots and Restricted NATs are popular in homes, communication between the two has the potential to fault on the side of the Restricted NAT.

• Incoming and outgoing ICMPv6 "Echo Request" and "Echo Reply" exceptions must be enabled. These exceptions are necessary to ensure that a Teredo client can act as a Teredo host-specific relay. A Teredo host-specific relay can be identified by the additional native IPv6 address or a 6to4 address supplied with the Teredo address.

  See Also

  Using Device Manager to Uninstall Devices and Driver Packages - Windows drivers

Client firewalls must support the following ICMPv6 error messages and discovery functions per RFC 4443:

If these messages cannot be specifically allowed, then the exemption of all ICMPv6 messages should be enabled on the firewall. Additionally, the host firewall may notice that the packets classified by codes 135/136 or 133/134 originate from, or are targeted to, the user mode service iphlpsvc and not from the stack. These packets must not be dropped by the host firewall. The Teredo service is implemented primarily within the 'user mode' IP Helper service.

Using the INetFwPolicy2 Windows Firewall API to enumerate all rules with the Edge Traversal flag set, all applications that want to listen for unsolicited traffic are enumerated for the firewall exception. Specific information regarding the use of the Edge Traversal option is detailed in Receiving Unsolicited Traffic Over Teredo.

Callbacks are not associated with the following sample enumeration code; it is strongly recommended that third party firewalls perform the enumeration periodically, or whenever the firewall detects a new application attempting to go through the firewall.

#include <windows.h>#include <objbase.h>#include <stdio.h>#include <atlcomcli.h>#include <strsafe.h>#include <netfw.h>#define NET_FW_IP_PROTOCOL_TCP_NAME L"TCP"#define NET_FW_IP_PROTOCOL_UDP_NAME L"UDP"#define NET_FW_RULE_DIR_IN_NAME L"In"#define NET_FW_RULE_DIR_OUT_NAME L"Out"#define NET_FW_RULE_ACTION_BLOCK_NAME L"Block"#define NET_FW_RULE_ACTION_ALLOW_NAME L"Allow"#define NET_FW_RULE_ENABLE_IN_NAME L"TRUE"#define NET_FW_RULE_DISABLE_IN_NAME L"FALSE"#import "netfw.tlb"void DumpFWRulesInCollection(long Allprofiletypes, NetFwPublicTypeLib::INetFwRulePtr FwRule){ variant_t InterfaceArray; variant_t InterfaceString; if(FwRule->Profiles == Allprofiletypes) { wprintf(L"---------------------------------------------\n"); wprintf(L"Name: %s\n", (BSTR)FwRule->Name); wprintf(L"Description: %s\n", (BSTR)FwRule->Description); wprintf(L"Application Name: %s\n", (BSTR)FwRule->ApplicationName); wprintf(L"Service Name: %s\n", (BSTR)FwRule->serviceName); switch(FwRule->Protocol) { case NET_FW_IP_PROTOCOL_TCP: wprintf(L"IP Protocol: %s\n", NET_FW_IP_PROTOCOL_TCP_NAME); break; case NET_FW_IP_PROTOCOL_UDP: wprintf(L"IP Protocol: %s\n", NET_FW_IP_PROTOCOL_UDP_NAME); break; default: break; } if(FwRule->Protocol != NET_FW_IP_VERSION_V4 && FwRule->Protocol != NET_FW_IP_VERSION_V6) { wprintf(L"Local Ports: %s\n", (BSTR)FwRule->LocalPorts); wprintf(L"Remote Ports: %s\n", (BSTR)FwRule->RemotePorts); } wprintf(L"LocalAddresses: %s\n", (BSTR)FwRule->LocalAddresses); wprintf(L"RemoteAddresses: %s\n", (BSTR)FwRule->RemoteAddresses); wprintf(L"Profile: %d\n", Allprofiletypes); if(FwRule->Protocol == NET_FW_IP_VERSION_V4 || FwRule->Protocol == NET_FW_IP_VERSION_V6) { wprintf(L"ICMP TypeCode: %s\n", (BSTR)FwRule->IcmpTypesAndCodes); } switch(FwRule->Direction) { case NET_FW_RULE_DIR_IN: wprintf(L"Direction: %s\n", NET_FW_RULE_DIR_IN_NAME); break; case NET_FW_RULE_DIR_OUT: wprintf(L"Direction: %s\n", NET_FW_RULE_DIR_OUT_NAME); break; default: break; } switch(FwRule->Action) { case NET_FW_ACTION_BLOCK: wprintf(L"Action: %s\n", NET_FW_RULE_ACTION_BLOCK_NAME); break; case NET_FW_ACTION_ALLOW: wprintf(L"Action: %s\n", NET_FW_RULE_ACTION_ALLOW_NAME); break; default: break; } InterfaceArray = FwRule->Interfaces; if(InterfaceArray.vt != VT_EMPTY) { SAFEARRAY *pSa = NULL; long index = 0; pSa = InterfaceArray.parray; for(long index= pSa->rgsabound->lLbound; index < (long)pSa->rgsabound->cElements; index++) { SafeArrayGetElement(pSa, &index, &InterfaceString); wprintf(L"Interfaces: %s\n", (BSTR)InterfaceString.bstrVal); } } wprintf(L"Interface Types: %s\n", (BSTR)FwRule->InterfaceTypes); if(FwRule->Enabled) { wprintf(L"Enabled: %s\n", NET_FW_RULE_ENABLE_IN_NAME); } else { wprintf(L"Enabled: %s\n", NET_FW_RULE_DISABLE_IN_NAME); } wprintf(L"Grouping: %s\n", (BSTR)FwRule->Grouping); wprintf(L"Edge: %s\n", (BSTR)FwRule->EdgeTraversal); }}int __cdecl main(){ HRESULT hr; BOOL fComInitialized = FALSE; ULONG cFetched = 0; CComVariant var; long Allprofiletypes = 0; try { IUnknownPtr pEnumerator = NULL; IEnumVARIANT* pVariant = NULL; NetFwPublicTypeLib::INetFwPolicy2Ptr sipFwPolicy2; // // Initialize the COM library on the current thread. // hr = CoInitialize(NULL); if (FAILED(hr)) { _com_issue_error(hr); } fComInitialized = TRUE; hr = sipFwPolicy2.CreateInstance("HNetCfg.FwPolicy2"); if (FAILED(hr)) { _com_issue_error(hr); } Allprofiletypes = NET_FW_PROFILE2_ALL; // 0x7FFFFFFF printf("The number of rules in the Windows Firewall are %d\n", sipFwPolicy2->Rules->Count); pEnumerator = sipFwPolicy2->Rules->Get_NewEnum(); if(pEnumerator) { hr = pEnumerator->QueryInterface(__uuidof(IEnumVARIANT), (void **) &pVariant); } while(SUCCEEDED(hr) && hr != S_FALSE) { NetFwPublicTypeLib::INetFwRulePtr sipFwRule; var.Clear(); hr = pVariant->Next(1, &var, &cFetched); if (S_FALSE != hr) { if (SUCCEEDED(hr)) { hr = var.ChangeType(VT_DISPATCH); } if (SUCCEEDED(hr)) { hr = (V_DISPATCH(&var))->QueryInterface(__uuidof(INetFwRule), reinterpret_cast<void**>(&sipFwRule)); } if (SUCCEEDED(hr)) { DumpFWRulesInCollection(Allprofiletypes, sipFwRule); } } } } catch(_com_error& e) { printf ("Error. HRESULT message is: %s (0x%08lx)\n", e.ErrorMessage(), e.Error()); if (e.ErrorInfo()) { printf ("Description: %s\n", (char *)e.Description()); } } if (fComInitialized) { CoUninitialize(); } return 0;}