Microsoft Internet Security and Acceleration Server 2000

IFWXSession::RetroactiveAllowBind Method

Allows a Firewall client to receive a secondary inbound connection on a socket that was previously bound by the Firewall client but was not necessarily approved by the Firewall service.

HRESULT RetroactiveAllowBind(
  INT Protocol,
  DWORD AddressLength,
  REFGUID ProtocolGuid,
  DWORD dwFlags,
  IFWXIpFilter *pIpFilter


[in] Protocol flags. This parameter can have the following flag values:
Value Description
FWX_PROTOCOL_TCP The bind uses the TCP protocol.
FWX_PROTOCOL_UDP The bind uses the UDP protocol.

[in] Pointer to a sockaddr structure that contains the Firewall service external address for which this request is made. The address can be INADDR_ANY. The port number must be nonzero.
[in] Length, in bytes, of the structure pointed to by the Address parameter.
[in] GUID that identifies the protocol of which the connection is part. The GUID is the same GUID supplied to IFWXFilterAdmin::RegisterProtocolForFilter.
[in] Connection flags. This parameter can be any combination of the following flag values:
Value Description
FWX_FLAG_BIDIRECTIONAL Permission is also granted to send packets back to destinations that recently sent packets to the socket. This flag is only valid for UDP.

Pointer to the IFWXIpFilter object. All connections that are created by BindForClient will be restricted by the IpFilter pointed to by this parameter. If you specify NULL for this parameter, the connection will not be restricted at all by an IpFilter object. Similarly, if you do not set a value for this parameter, all IP addresses will be allowed access. If you specify a zero value for this parameter, all IP addresses will be blocked.

Return Values

The method succeeded.
The connection exists and was already allowed.
Invalid parameter.
No connection with the specified address was found.
The (bind) connection exists, but is already terminating.
The protocol rules do not allow the user to use the protocol specified by the ProtocolGuid parameter.


Usually a filter will know that a bind call made by a Firewall client is valid only after the bind call succeeds and the Firewall client sends the address to its peer. For this reason, the Firewall service will not fail a bind call even when the service does not allow the client inbound access. Instead, the Firewall service marks the connection and discards datagrams sent, or connection attempts to that address, unless the bind becomes valid later.

When packet filtering is enabled, an opening in the dynamic packet filter will only be created for allowed connections.