[an error occurred while processing this directive]

You can configure IP filters in both connection request policies and network policies by using netsh nps commands. The following sections provide details on the commands and parameters to use to configure IP filters for IPv4 or IPv6.

Commands for configuration of IP filters

The following netsh nps commands allow you to configure IP filters that are applied at the network access server for connection requests that match the respective policies.

  • add crp. This command allows you to add a new connection request policy to the Network Policy Server (NPS) configuration.

  • set crp. This command allows you to modify an existing connection request policy.

  • add np. This command allows you to add a new network policy to the NPS server configuration.

  • set np. This command allows you to modify an existing network policy.

With these commands, you can configure IP filters using the parameters profileid, advprofiletype, and advprofiledata. The following sections provide details for each parameter.

profileid

The following values for profileid are valid for the configuration of IP filters.

Name ID

MS-Quarantine-IPFilter

0x1045

MS-Filter

0x102f

MS-IPv6-Filter

0x1fd0

advprofiletype

The following values for advprofiletype are valid for the configuration of IP filters.

Name Type

IPv4 Input filters

IPFILTER_IPV4INFILTER

IPv4 Output filters

IPFILTER_IPV4OUTFILTER

IPv6 Input filters

IPFILTER_IPV6INFILTER

IPv6 Output filters

IPFILTER_IPV6OUTFILTER

advprofiledata

The following syntax and comma-separated list of parameters for advprofiledata are valid for the configuration of IP filters.

Syntax

advprofiledata= action,ip address,mask,protocol,source port,destination port

Parameters

Name Description

action

Required. Specifies whether IP traffic is permitted or denied. PERMIT specifies that all IP traffic is permitted except for the packets that you designate with the ip address, mask, protocol, source port, and destination port parameters. DENY specifies that all IP traffic is denied except for the packets that you designate with the ip address, mask, protocol, source port, and destination port parameters.

ip address

Required. Specifies either an IPv4 or an IPv6 address.

mask

Required. Specifies the subnet mask for an IPv4 address or the prefix length for an IPv6 address in the following formats: "x.x.x.x" specifies an IPv4 subnet mask, while <number> specifies an IPv6 prefix length.

protocol

Optional. Specifies the protocol number as an integer, such as 6 for TCP or 17 for User Datagram Protocol (UDP).

source port and destination port

Optional. Specifies the source port and destination port as integers. If specified, you must designate both a source port and a destination port. If you do not specify a source port and destination port, all IP traffic to the specified IP address is permitted or denied, depending on the value of action.

See Also


[an error occurred while processing this directive]