Windows XP firewall

Thank you for the positive feedback.
Certainly worth the time to create/post if others find the info useful.

- Stem

EDIT:

I will sticky the thread for a week.
The thread is now linked in the "Other Firewalls Sticky Posts".

 

If Possible I would seriously sticky this. it has untold number of use's for people looking for free already built in firewall.

after all this is what this forum is all about Firewall's

 

Is it best to disable standard services that are checked (like Remote Assistance)?

 

If you are not using any of the services that are checked(ticked) then yes, uncheck them.

 

OK, I will. I never use Remote Assistance so no need for it to be ticked.
I'll have another look at the second service that was on by default (can't remember the name at the moment).

 

Stem:

This thread and the learnings in it are excellent! Thank you very much.


A question if it isn't OT regarding hardnit( sp?) is:

will a user be able to use hardinit to accomplish these same options via that product or is it best to do it directly as you are showing in this LT?

 

You can save your rules from here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

and restore them to a new install later. Mind the app paths, if you've changed them.

 

Glad to see this stickiefied. Finally a thread dealing with the "grey area" of firewalls. Good effort Stem.
As Windows Firewall showed a good ability to filter flags, I would also like to see more info on filtering other header data (seq and ack numbers). If Windows Firewall can do it at all, that is...

File and Print sharing?

Harden-it is a tool for hardening TCP/IP stack (not the firewall itself) and will apply a few registry changes. You can't change those from within Windows Firewall, you need to use tools such as Harden-it. Or manually edit...

Cheers,

 

Thanks, Nick for straightening me out on yet another confusion!

 

Hi Nick,

I will find some time to check on that. I will post results once done.

- Stem

 

Hello Stem,

nice thread with great examples. One question I have: in post #12 you mention running a scan from ShieldsUp to test the firewall, but I see a destination ip address of 192.168.1.101. Is there a router involved here? If so, does it not play a part in blocking the scans? Do you have the DMZ enabled on it? Thanks in advance!

 

Hi,

The test would be flawed if I was to sit the test PC behind a filtering gateway/router, so yes, you could say it was demilitarized(DMZ). Normally it is filtered by my gateway(PC)

There was only the possibility of my ISP making some interception/filtering during the scan, and on the common ports, my ISP does intercept and stealth port 445, so that port does not show as scanned/blocked within the firewall logs. But other than that, all packets did hit the firewall on the test PC and where logged.

- Stem

 

No, it's 'Network control for XP'. I guess I can't turn that off...

 

I am not sure what that is. It may be a 3rd party utility, but should not require inbound connections.

Remove it from the list completely, then can you take a screen grab of the alert if it asks for inbound again (but block it from being allowed inbound and we will find out what it is).


- Stem

 

Turn it off (uncheck it) or really remove it from the list?
Can removing this from the list cause my network to not function properly?
I'm guessing this is something that got 'installed' when I configured a router, but I'm not entirely sure.

 

Remove it from the list.

No, if it is/was required then you will get another popup, then please take a screen grab or take note of the full name of the application in the popup windows. (we may need to check the registry for its location)

I think it may be a utility for the NIC card.


- Stem

 

OK, I will do that later this week.
What kind of popup should I get in case the service IS required?

 

The popup will be the same as shown earlier in the thread here but that does not mean that the application actually needs inbound, just that the application is attempting to listen for inbound.

The location of the application should be found in the windows registry:-
HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Services\SharedAccess\Parameters\Firewallpolicy\StandardProfile\AutorizedApplications\list

There will be an entry showing the applications full path and correct name.


- Stem

 

It seems that 'Network control for Windows XP' (I did a Google search) is a standard MS tool (available in XP) for checking network connectivity.

I'm not sure if it needs to be checked in XP's firewall though.

 

The program is xpnetdiag.exe (comes with XP). I have unchecked it in the list. So far no popups or messages.

 

Hi Stijnson,

Thank you for checking and reporting this, I certainly admit this is new to me, (well we all learn one way or another) I have never used it.

Certainly for the OS to operate there is no need to allow inbound connections, even for basic browsing it is a definite NO.


- Stem


Edit.

Is that program currently running?

 

is it possible to add an ip blocklist to windows firewall? what I mean is I use peergurdian2 and I also use blocklist manager to get lists now is there a way for me to take those same lists and add them into the windows firewall so I then wont need to run peergaurdian2?
the firewall I have right now is Ghost wall but it is a little bit difficult for me to figure out

 

I´ve used this MS prog (xpnetdiag.exe) sometimes for check & diagnostics on my internet access status & configuration when my internet connection wasn´t accessible for by me unknown reassons. It not helped a lot, only invite me to check "repair" or reconfigure my connection or my Winsock data.

 

You can use the hosts file to block a domain name, such as yahoo.com. It would not matter what IP yahoo.com uses, it would be blocked.

If you have an app like Avira, and you wanted to block it getting updates, you would need to find all the domain names it could go to, such as update1.com, update2.com, update3.com , etc etc. Very inconvenient. It would have been much easier just to do a whois on avira, find the netblock it has, and then use something like iptables to add a rule sorta like 2.22.2.22 - 2.23.2.22/block. Then you could deny entire blocks of ip ranges.

You could add a route to your computers routing table, and tell certain ip to be routed to a local ip that has no machine on it. For instance, if you wanted to block 2.22.2.22, you could add a route so that all traffic to that ip would go to 192.168.1.250, where this is your lan subnet and no computer lives @ .250.

You could also engage ipsec, and create a simple ipsec deny rule for a specific IP. I have a thread in this forum on how to do that.

Someone feel free to correct me if this is not right.

Sul.