A computer host may execute a host firewall application to protect itself from incursions by malicious entities via a communications network (e.g., the Internet). Host firewalls can provide a considerable amount of security from such threats by controlling the traffic passing between the host and other network-connected entities within different zones of trust. However, many hosts are connected within a local network to certain entry points to the local network, such as a network address translation (NAT) device or another firewall application or device, positioned at an “edge” of the local network. As such, a host firewall may be configured to block unsolicited traffic to prevent attacks from outside the network through these entry points.
Certain edge traversal technologies have emerged to allow legitimate unsolicited inbound traffic to traverse edge entities, such as NATs and firewalls. One particular implementation of such technology is an edge traversal service designed to send UDP (uniform data packet) “bubbles” from the host to artificially maintain state on edge devices in order to allow unsolicited UDP traffic to traverse back through said edge devices. The service utilizes a virtual adapter on the host system that has a service-specific IPv6 address. The service-specific address is obtained from an edge traversal server outside the local network that can compute the host's service-specific address based on the external IPv4 address of the NAT or other edge security entity and the specific port being used for that host on the NAT or other edge security entity. In summary, an edge traversal service allows a host to receive unsolicited, inbound traffic through its local network edge.
However, edge traversal can expose the host, and therefore the local network, to undesirable security risks. Existing firewall rules that allow unsolicited traffic for any application or service are IP-version agnostic and unaware of edge traversal technologies. Therefore, any host firewall rule that allows unsolicited traffic to an application or service would inadvertently allow that traffic to come over any interface, including those interfaces specifically designed for edge traversal. For example, if edge traversal service is enabled for a particular host, then any application having a host firewall rule allowing unsolicited traffic would be exposed to unsolicited traffic from outside its network via the edge traversal service.