Windows XP firewall

Discussion in 'other firewalls' started by Stem, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello.

    I am making this thread/post to show first the settings/options and then the filtering capabilities of the windows XP firewall.

    Please note: This is not a A vs B thread, but for info for the "Windows Firewall".


    Those who may still have basic questions, such as to why a firewall should be used, I would first ask you to read the top forum sticky post:-

    Firewall Questions for beginners



    .
     
    Last edited: Aug 24, 2008
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Wndows firewall

    So first:

    From the Control panel~ "Windows firewall" you will get a popup window for the settings:-

    WF01.jpg

    The first Tab is for "General". We see:-

    1/ Simply for the option to enable the windows firewall

    2/ If you enable this option "Dont allow exceptions", then the firewall will block all unsolicited inbound connection. It will also over-ride any applications permission that have been allowed inbound and any ICMP settings (we will look at those later)

    3/ Simply for the option to disable the windows firewall
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Wndows firewall

    We now go to the "Exceptions" tab.

    Please note, these settings are only relevant if the "Dont allow exceptions" is unchecked.

    WF02.jpg

    As during this, I am re-checking my notes/findings of test made earlier, I am going to make a post for each on the numbered options above.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Wndows firewall

    1
    Programs and Services
    (Note: The above list is the default list ~as from a reset)

    This area will show which programs/services are allowed or blocked from being allowed unsolicited inbound.
    If the program/service checkbox is clear, then that program is not allowed the inbound. If the checkbox is checked(ticked) then that application will be allowed inbound to any port it listens on (NOTE: please also see 3)

    Windows firewall will alert to an application that is attempting to listen on port, it is not actually showing that the program is receiving inbound.

    So for an example:-

    I have an application that is not currently on the "Programs and services" list,
    as soon as that application attempts to "listen" on a port there will be a popup:-(NOTE: please also see 3 and 6)

    program alert.jpg

    From the popup, you are given 3 choices

    Keep blocking Will add the program to the list as "blocked"
    Unblock Will add the program to the list as "allowed"
    Ask me later Will block the program untill it is restarted, and then will give another popup if that program attempts to listen again, but the program is not added to the list.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Wndows firewall

    2
    Add Program

    With this option you can manually add a program to the list, this can be helpful if you want to restrict the program to only be allowed inbound from your LAN or a specific IP / list or range before it is executed.

    So to add a new program simply press "Add Program", you can then browse for the program:-

    Test01.jpg

    Once selected, if you want to restrict the program to specific IP(s) select "change scope" which will bring up a window:-

    test02.jpg

    You can then add either your subnet or a single IP etc
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    3
    Add Port,

    This option will allow you to force open a local port.

    The only benefit from this that I can see, is that you have the option to allow either TCP or UDP, so you can then filter between them on the port selected.
    There is also the option to add IP(s) (via the "change scope" option) if required.

    The downside is that adding such a port will make that port available to any program regardless if it is blocked, or not on the list of applications. There will be no warning if an application uses that port. The port will also respond to scans etc even if no application is currently using the port.

    (Note: please also see 6)
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    4
    EDIT

    This will bring up a window of the selected application showing its path, you can also then edit (using the "change scope") the IP(s) that the application is allowed inbound from.


    5
    Delete

    This allows you to delete any of the added programs. Simply select a program, and press delete. But, you cannot delete the 4 default rules that are in place.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    6
    Display a notification when Windows Firewall blocks a program.

    If the option is checked(ticked)

    If an application is not on the list and it attempts to listen on a port then you will get a popup, but, if a port as been added via the "add port" and that application listens on that port, then it will be allowed with no popup.

    If the option is unchecked(not ticked)

    If an application is not on the list and it attempts to listen on port, it will be blocked with no popup, but again, if a port as been added via "add port" the application will be allowed to listen on that port.

    Now, if there have been no ports added via the "add ports", then I can look at this option when disabled (unchecked) as a "Block all that as not been allowed"
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    Now we move on to the "Advanced" tab.

    WF03.jpg

    1
    This area shows you the connections (NIC cards etc) that are being protected by the windows firewall.
    Next to that window you will see "Settings". So if you select one of the connections (NICs) then select settings it will give you a popup window as seen below:-
    Now, you can use this to create open ports for your own PC (as with the "add port" we looked at earlier), but its main intention is for routing traffic to internal, such as a PC connected via ICS (Internet connection Sharing).
    So for example, you had a PC connected via ICS and that PC needed unsolicited inbound, maybe for a game server or P2P, then you can make settings in this area to allow that inbound.
    So as example:-
    You have a server (game whatever) running on the PC via ICS and you want to allow inbound to its port 50000 TCP, you would first select the connection(NIC) that is connected to the internet then select settings which will give you a popup:-

    Advanced settings.jpg

    Now, if you do have a PC connected via ICS there will already be some services enabled such as DHCP and DNS, those are needed for the ICS, there are other services that can be enabled, but as we want a custom port, we will add a service to use. So select "Add" which will give a popup:-

    service.jpg

    So add a description in the top, then you need to add the name or IP of the PC that the packets are to be routed to, in this instance the PC that is connected via ICS, so add that IP (you can find that from that PC itself if needed) You then add the port, just place the same port in both external and internal. Once done click OK and then the PC connected via ICS will be sent inbound packets to that port.
    The second tab is for ICMP:-

    route_ICMP.jpg


    Now these ICMP settings are for those services, such as the one we just created, so any allowed ICMP made here will simply allow ICMP to/from the PC running that service (such as the PC on ICS)
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    2
    Security Logging

    Clicking settings will bring up the options:-

    logging.jpg

    Here you can select to log the blocked and/or allowed packets. You can select where the log is stored and what the log is to be named and also the size limit of the log.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Windows firewall

    3
    ICMP

    Select settings to bring up the options:-

    main_ICMP.jpg

    Those ICMP settings are for the PC you are using.




    4
    Restore Defaults

    If you have problems with settings you have made, or simply want to go back to the windows firewall default setting, then press "Restore Defaults"
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    So, now on to the scanning/filter tests and a look at the firewall logs.


    I normally do all tests internally, but as I know a number of users like a result from shieldsup, So I ran the scan which showed "fully stealthed", below is part of the windows firewall log showing some of the blocked packets, and I will show a breakdown of the main entries.

    This is a screen grab (reduced image) of part of the log from a scan at shieldsup.

    log.jpg

    The main entries to note for TCP/UDP are the first 7 entries on each line. Below is a breakdown of what each of those first 7 entries are:-

    log_entry.jpg

    The last number shown "78" is just the packet size.


    I then ran a number of internal scans which gave the same result as above. I also made excessive scanning (basically a flood) against the firewall to see how it would handle a constant flood of packets/scans. The test PC is an Athlon 64 single core 3800. Normal idle shows between %0-2, with the scan floods running, the processor showed between %7-8 with the windows firewall log enabled and %4-5 with the logging disabled, so really a minimal impact on the system and no effect on internet connections.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    So on to checking for the filtering of illegal flagged packets.

    I will first point out that this simple test is flawed, as in itself it does not determine if these packets are being filtered due to the illegal flags within the packets or, that they are being dropped due to being out of sequence, but that is not a problem in this test, as the main point is to see if such packets are dropped/blocked.

    So the test.

    I make a direct outbound connection from the test PC to another PC, so that then gives me an open connection on the test PC, I then send a stream of illegal flagged packet to that open connected port.

    The result was all illegal flagged packets where dropped/blocked.
    (For this test I did enable the Windows firewall log to log allowed and blocked.)

    Here is the log, which I will explain.

    log02.jpg



    The first entry is the connection made to the remote PC.

    The "see NOTE" those entries are due to test software making DNS due to my checking netstat to confirm the local port being use, they can be ignored but did not want to edit the log.

    The vertical line is highlighting the illegal packets that where dropped, on the right of that line you will see the various flags that where set in the packets.

    The last entry is where I closed the connection.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Now, just a need to show a log entry for ICMP.


    This is just showing 4 blocked ICMP pings (echo requests)

    ICMP_log.jpg

    You will see that the info is similar as described before, showing date/time, the fact that the packet is DROP (blocked) the protocol~ ICMP then the source and destination IPs. There is then the packet size, but what is of interest is the "Type" and "Code" which is shown with the "Type 8"~"Code 0" which is as mentioned a Ping (or echo request)

    For info about ICMP and the various Types and Codes, there is info here
     
  15. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks Stem. Very clear and useful post.
    Would you consider the filtering of Windows' firewall sufficient or not? Or is it too basic?
     
  16. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Stem, If I remember correctly Windows Firewall's abilities are limited to UDP,TCP,ICMP. And we can't add rules for other protocols like say ARP, right ?
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Correct.

    IP protocol control can be made (if required) via the Advanced TCP/IP settings ~ options~ TCP/IP filtering-Properties (on a per-interface basis).


    - Stem
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    For TCP/UDP/ICMP the inbound filtering is very good. So for home users on a reputable ISP (most of whom are now on an ISP LAN), who only want inbound filtering, then it is sufficient (IMHO).
     
  19. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    Thanks Stem.
    Very nice work.
    Definitely worth a sticky or a book mark! :D
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,693
    Hello,
    Very nice one ...
    Cheers
    Mrk
     
  21. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Thanks, Stem for the answer and a brilliant post :thumb:
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for all the effort Stem, nice post indeed... very nice....
     
  23. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    This one should be stickyed it will help New comers that just want a basic simple inbound outbound firewall. also helps them set it up correctly.
     
  24. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Thanks for taking the time to write this post! :)
     
  25. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Very useful thread, thankyou for taking the time to do this.
     
Loading...
Thread Status:
Not open for further replies.