Windows XP's Firewall

Internet Connection Firewall overviewA firewall is a security system that acts as a protective boundary between a network and the outside world. Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what information is communicated from your home or small office network to and from the Internet to your network.

If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, ICF should be enabled on the shared Internet connection. However, ICS and ICF can be enabled separately. You should enable ICF on the Internet connection of any computer that is connected directly to the Internet. To check to see if ICF is enabled or to enable the firewall, see Enable or disable Internet Connection Firewall.

ICF also protects a single computer connected to the Internet. If you have a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem, ICF protects your Internet connection. You should not enable ICF on VPN connections because it will interfere with the operation of file sharing and other VPN functions.

How Internet Connection Firewall (ICF) works
ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF computer. In the case of a single computer, ICF tracks traffic originated from the computer. When used in conjunction with ICS, ICF tracks all traffic originated from the ICF/ICS computer and all traffic originated from private network computers. All inbound traffic from the Internet is compared against the entries in the table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network.

Communications that originate from a source outside ICF computer, such as the Internet, are dropped by the firewall unless an entry in the Services tab is made to allow passage. Rather than sending you notifications about activity, ICF silently discards unsolicited communications, stopping common hacking attempts such as port scanning. Such notifications could be sent frequently enough to become a distraction. Instead, ICF can create a security log to view the activity that is tracked by the firewall. See Internet Connection Firewall security log file overview.

Services can be configured to allow unsolicited traffic from the Internet to be forwarded by the ICF computer to the private network. For example, if you are hosting an HTTP Web server service, and have enabled the HTTP service on your ICF computer, unsolicited HTTP traffic will be forwarded by the ICF computer to the HTTP Web server. A set of operational information, known as a service definition, is required by ICF to allow the unsolicited Internet traffic to be forwarded to the Web server on your private network. For information about services, see Add a service definition, and Service definitions overview.

Internet Connection Firewall Considerations
ICF and Home or Small Office communications
You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network. For a similar reason, the Network Setup Wizard does not allow ICF to be enabled on the ICS host private connection, the connection that connects the ICS host computer with the ICS client computers, because enabling a firewall in this location would completely prohibit network communications.

Internet Connection Firewall is not needed if your network already has a firewall or proxy server.

If your network has only one shared Internet connection, you should protect it by enabling Internet Connection Firewall. Individual client computers may also have adapters, such as a dial-up or DSL modem, that provide individual connections to the Internet and are vulnerable without firewall protection. ICF can only check the communications that cross the Internet connection on which it is enabled. Because ICF works on a per connection basis, you need to enable it on all computers with connections to the Internet, in order to ensure protection for your entire network. If you have enabled the firewall on the ICS host computer's Internet connection, but a client computer with a direct Internet connection is not using the firewall for protection, your network will be vulnerable through that unprotected connection.

The service definitions that allow services to operate across ICF also work on a per connection basis. If your network has multiple firewall connections, service definitions must be configured for each firewalled connection you want the service to work through.

ICF and notification messages
Because ICF inspects all incoming communications, some programs, especially e-mail programs, may behave differently when ICF is enabled. Some e-mail programs periodically poll their e-mail server for new mail and some e-mail programs wait for notification from the e-mail server.

Outlook Express, for example, automatically checks for new e-mail when its timer tells it to do so. When new e-mail is present, Outlook Express prompts the user with a new e-mail notification. ICF will not affect the behavior of this program, because the request for new e-mail notification originates from inside the firewall. The firewall makes an entry in a table noting the outbound communication. When the new e-mail response is acknowledged by the mail server, the firewall finds an associated entry in the table and allow the communication to pass, then the user receives notification that a new e-mail has arrived.

Office 2000 Outlook, however, is connected to a Microsoft Exchange server that uses a remote procedure call (RPC) to send new e-mail notifications to clients. Office 2000 Outlook does not automatically check for new e-mail when it is connected to an exchange server. The Exchange server notifies Office 2000 Outlook when new e-mail arrives. Because the RPC notification is initiated from the exchange server that is outside the firewall, not by Office 2000 Outlook, which is inside the firewall, ICF cannot find the corresponding entry in the table, and the RPC messages are not be allowed to cross from the Internet into the home network. The RPC notification message is dropped. Users can send and receive e-mail, but need to manually check for new e-mail.

Advanced ICF Settings
The ICF security logging feature provides a way to create a security log of firewall activity. ICF is capable of logging both traffic that is permitted and traffic that is rejected. For example, incoming echo requests from the Internet, by default, are not allowed by the firewall. If the Internet Control Message Protocol (ICMP) Allow incoming echo request is not enabled, then the inbound request fails, and a log entry that notes the failed inbound attempt is generated. See Internet Connection Firewall security log file overview. For information about ICMP, see Internet Control Message Protocol (ICMP).

ICMP allows you to modify the behavior of the firewall by enabling various ICMP options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request and Allow redirect. Brief descriptions of these options are provided on the ICMP tab. For navigation and instructions for ICMP see Enable Internet Control Message Protocols.

You can set the allowable size of the security log to prevent the potential overflow that could be caused by denial-of-service attacks. Event logging is generated into the Extended Log File Format as established by the World Wide Web Consortium (W3C). For more information about ICF security logging, see Internet Connection Firewall security log file overview.

Note

Internet Connection Sharing, Internet Connection Firewall, Discovery and Control, and Network Bridge are not available on Windows XP 64-Bit Edition.
Related Topics

 

Thanks Controller, I just got a laptop for my wife with XP /home and I hadn't gotten to these items yet. I just got through the updates. It took a while to do all the updates with all the reboots etc. Firewall is next.

 

Zappa

Your wife will enjoy XP. If she is used to the classic Windows
Feel go to control panel, Taskbar and Start Menu, click start menu,
Classis Start Menu.

To enable XP's built in Firewall, Control Panel, Network Connections,
Click on the Netowrk Icon, General,properties,advanced and check the box
Internet Connection Firewall,,,

 

Controler,

You've got me doubting. Is it a good idea to trust a firewall built by M$ ?
This is not meant as pure criticism, but like everything else that Microsoft builds and makes popular it will be one of the first on the lists of hackers and other [glow=red,2,300]*peep*[/glow] to try and punch holes in. I realise that this might as well be an advantage.
One other thing has me troubled. Being an M$ application it will most likely give permission to all of his "colleagues"

Regards,

Pieter

 

Hello,

Keep in mind ICF only monitor IN and no OUT :
trojans and spywares are very happy with that

Rgds,

 

Nope I am not suggesting anyone use only the default XP firewall
@ all. I only posted it for reading material. The Firewall was not enabled by default on my laptop. I am saying the XP firewall is better than nothing @all but should NOT give a false sence of security.

Here is a copy of my XP firewall logfile. The user decides how big to make the log file. I save it to desktop so I can get at it easier.

#Verson: 1.0
#Software: Microsoft Internet Connection Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info



2002-06-14 08:54:55 OPEN UDP 192.168.1.100 xx.xxx.xxx.50 3008 53 - - - - - - - -
2002-06-14 08:54:55 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3010 110 - - - - - - - -
2002-06-14 08:55:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3010 110 - - - - - - - -
2002-06-14 08:56:55 CLOSE UDP 192.168.1.100 xx.xxx.xxx.50 3008 53 - - - - - - - -
2002-06-14 08:58:03 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3011 25 - - - - - - - -
2002-06-14 08:58:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3011 25 - - - - - - - -
2002-06-14 09:05:54 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3012 25 - - - - - - - -
2002-06-14 09:06:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3012 25 - - - - - - - -
2002-06-14 09:09:40 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3013 25 - - - - - - - -
2002-06-14 09:09:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3013 25 - - - - - - - -
2002-06-14 09:10:29 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3015 110 - - - - - - - -
2002-06-14 09:10:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3015 110 - - - - - - - -
2002-06-14 09:13:45 OPEN TCP 192.168.1.100 xx.xxx.xxx.53 3017 110 - - - - - - - -
2002-06-14 09:13:55 CLOSE TCP 192.168.1.100 xx.xxx.xxx.53 3017 110 - - - - - - - -

 

Here's a link to MS bulletin about XP's firewall
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q323009&GSSNB=1

IMHO just another reason to not use it!


EDIT: I have the link repaired; FanJ

 

So unplug the D A M N RJ45 cable before shutting down and don't plug it again till you are all booted up LOL

I came from the old days when you had to change the TV channels
by hand