|
Using the Windows Firewall
The settings for ICF in Windows XP with SP1 and Windows XP with no
service packs installed consist of a single checkbox (the Protect my
computer and network by limiting or preventing access to this
computer from the Internet check box on the Advanced tab of the
properties of a connection) and a Settings button from which you can
configure excepted traffic, logging settings, and allowed ICMP
traffic.
Windows XP Service Pack 2 (SP2) includes the new Windows Firewall,
which replaces the Internet Connection Firewall (ICF). Windows
Firewall is a stateful host-based firewall that drops unsolicited
incoming traffic that does not correspond to either traffic sent in
response to a request of the computer (solicited traffic) or
unsolicited traffic that has been specified as allowed (excepted
traffic). Windows Firewall provides a level of protection from
malicious users and programs that rely on unsolicited incoming
traffic to attack computers on a network.
In Windows XP SP2, there are many new features for Windows
Firewall, including the following:
- Excepted traffic can be specified by application filename
- Built-in support for Internet Protocol version 6 (IPv6)
traffic
This page describes in detail the set of dialog boxes to manually
configure the new Windows Firewall. Unlike ICF in Windows XP with
Service Pack 1 (SP1) and Windows XP with no service packs installed,
the configuration dialog boxes configure both IPv4 and IPv6 traffic.
|
Step 1: Print this page.
|
|
Step 2: Open the windows firewall control panel.
|
|
Step 3:
In Windows XP SP2, the check box on the Advanced tab of
the properties of a connection has been replaced with a
Settings button from which you can configure general
settings, exceptions for programs and services,
connection-specific settings, log settings, and allowed ICMP
traffic. The Settings button launches the new Windows
Firewall Control Panel applet, which is also available from
the Network and Internet Connections and Security Center
categories of Control Panel.
The new Windows Firewall dialog box contains the
following tabs:
General Tab
The General tab with its default settings is shown in the
following figure.
From the General tab, you can select the following:
- On (recommended)
Select to enable Windows Firewall for all of the
network connections that are selected on the Advanced
tab. Windows Firewall is enabled to allow only
solicited and excepted incoming traffic. Excepted
traffic is configured on the Exceptions tab.
- Off (not recommended)
Select to disable Windows Firewall. This is not
recommended, especially for network connections that
are directly accessible from the Internet, unless you
are already using a third-party host firewall product.
Notice that the default setting for Windows Firewall is
On (recommended) for all the connections of a computer
running Windows XP with SP2 and for newly created
connections. This can impact the communications of programs
or services that rely on unsolicited incoming traffic. In
this case, you must identify those programs that are no
longer working and add them or their traffic as excepted
traffic. Many programs, such as Internet browsers and email
clients (such as Outlook Express), do not rely on
unsolicited incoming traffic and operate properly with
Windows Firewall enabled.
|
|
Step 4:
Exceptions Tab
The Exceptions tab with its default settings is shown in
the following figure.
From the Exceptions tab, you can enable or disable an
existing program (an application or service) or port or
maintain the list of programs and ports that define excepted
traffic. The excepted traffic is not allowed when the
Donít allow exceptions option is selected on the
General tab.
With Windows XP with SP2, you can define excepted traffic
in terms of TCP and UDP ports or by the file name of a
program (an application or service). This configuration
flexibility makes it easier to configure excepted traffic
when the TCP or UDP ports of the program are not known or
are dynamically determined when the program is started.
You can create additional exceptions based on specifying
a program name by clicking Add Program and exceptions based
on specifying a TCP or UDP port by clicking AddPort.
|
|
|
Step 5:
When you click Add Program, the Add Program dialog box is
displayed from which you can select a program or browse for
a programís file name. An example is shown in the
following figure.
|
|
|
Step 6:
Advanced Tab
The Advanced tab is shown in the following figure.
|
|
|
All of the programs or services enabled from the
Exceptions tab are enabled for all of the connections that
are selected on the Advanced tab.
The Advanced tab contains the Network Connections
Settings.
In Network Connection Settings, you can:
- Specify the set of interfaces on which Windows
Firewall is enabled. To enable, select the check box next
to the network connection name. To disable, clear the
check box. By default, all of the network connections
have Windows Firewall enabled. If a network connection
does not appear in this list, then it is not a standard
networking connection. Examples include some custom
dialers from Internet service providers (ISPs).
- Configure advanced settings of an individual network
connection by clicking the network connection name, and
then clicking Settings.
If you clear all of the check boxes in the Network
Connection Settings, then Windows Firewall is not protecting
your computer, regardless of whether you have selected On
(recommended) on the General tab. The settings in
Network Connection Settings are ignored if you have selected
Don't allow exceptions on the General tab, in which case all
interfaces are protected.
When you click Settings, the Advanced Settings dialog box
is displayed, as shown in the following figure.
|
|
|
From the Advanced Settings dialog box, you can configure
specific services from the Services tab (by TCP or UDP port
only) or enable specific types of ICMP traffic from the ICMP
tab.
ICMP
In ICMP, click Settings to specify the types of ICMP
traffic that are allowed in the ICMP dialog box, as shown in
the following figure.
|
|
|
From the ICMP dialog box, you can enable and disable the
types of incoming ICMP messages that Windows Firewall allows
for all the connections selected on the Advanced tab. ICMP
messages are used for diagnostics, reporting error
conditions, and configuration. By default, no ICMP messages
in the list are allowed.
A common step in troubleshooting connectivity problems is
to use the Ping tool to ping the address of the computer to
which you are trying to connect. When you ping, you send an
ICMP Echo message and get an ICMP Echo Reply message in
response. By default, Windows Firewall does not allow
incoming ICMP Echo messages and therefore the computer
cannot send an ICMP Echo Reply in response. To configure
Windows Firewall to allow the incoming ICMP Echo message,
you must enable the Allow incoming echo request setting.
|
|
Step 7:
Windows Firewall Notifications
Applications can use Windows Firewall application
programming interface (API) function calls to automatically
add exceptions. When an application that does not use the
Windows Firewall API runs and attempts to listen on TCP or
UDP ports, Windows Firewall prompts a local administrator
with a Windows Security Alert dialog box, an example of
which is shown in the following figure.
|
|
|
The local administrator can choose one of the following:
- Keep Blocking Adds the application to the exceptions
list but in a Disabled state so that the ports are not
opened. Unsolicited incoming traffic for the application
is blocked unless the local administrator specifically
enables the exception on the Exceptions tab. By adding
the application to the exceptions list, Windows Firewall
does not prompt the user every time the application is
run.
- Unblock Adds the application to the exceptions list
but in an Enabled state so that the ports are opened.
- Ask Me Later Block unsolicited incoming traffic for
the application and do not add it to the exceptions list.
The local administrator will be prompted again the next
time the application is run.
To determine the path of the application from the Windows
Security Alert dialog box, place the mouse pointer over the
name or description of the application. The displayed tool
tip text indicates the path to the application.
If the user is not a local administrator, the Windows
Security Alert dialog box informs the user that the traffic
is being blocked, and to contact their network administrator
for more information.
Services do not prompt the user with a Windows Security
Alert dialog box. Therefore, you should manually configure
exceptions for them.
| |
News
