Off setting is the most permissive, in that it allows all traffic, both in and out.
LOW allows "safe" incoming connections, denying those that are known to be dangerous, defaulting to "allow" TCP or UDP connections for which a rule has not been specified. LOW allows pretty much all ICMP traffic, except for not sending router-oriented (e.g., router advertisement) or deprecated (e.g., source quench) type/code pairs.
The LOW setting will allow bidirectional dynamic ports to be opened (default in: allow, default out: allow). Thus, LOW will support NetMeeting in either direction. As in the HIGH and MEDIUM settings, the LOW setting also allows VPNs, based on both IPsec and on PPTP.
Also as in the HIGH and MEDIUM settings, the LOW setting restricts traffic by prohibiting IP and/or TCP options that might be misused, as well as by preventing the spoofing of IP source addresses (for both IPv4 and IPv6).
MEDIUM will be the default setting when the firewall is first activated. MEDIUM does not have the "stealth" features associated with HIGH, therefore MEDIUM allows most (but not all) ICMP error messages to be sent and received. MEDIUM blocks most incoming connections, with the default action for unspecified TCP and UDP connections being "deny". In order to allow file transfers via MSN Messenger and Yahoo! Messenger, incoming connections to port 80 must be allowed (these applications will not work if the HIGH setting is chosen).
The MEDIUM setting will allow dynamic ports to be opened up from the inside only (default in: deny, default out: allow). Thus, MEDIUM will only support outgoing NetMeeting calls.
As in the HIGH setting, the MEDIUM setting allows VPNs based on both IPsec and on PPTP. Also, as in the HIGH setting, the MEDIUM setting restricts traffic by prohibiting IP and/or TCP options that might be misused, as well as by preventing the spoofing of IP source addresses (for both IPv4 and IPv6).
HIGH allows the least traffic through. Only outbound connections may be established. Inbound connections are not allowed. Inbound traffic is allowed only if it is in response to an outbound packet that was seen previously on a valid connection.
HIGH encompasses what is commonly known as "stealth mode", in which the station is not ping-able, and is not permitted to generate any ICMP error messages (except where necessary to permit normal operation).
The HIGH setting allows VPNs, including those based on IPsec (requiring AH, ESP, L2TP, IKE, i.e., UDP port 500), as well as those that rely on PPTP (which uses GRE).
The HIGH setting also restricts traffic by prohibiting IP and/or TCP options that might be misused, as well as by preventing the spoofing of IP source addresses (for both IPv4 and IPv6).