Introduction

Windows Firewall is a personal firewall. The firewall blocks all unsolicited inbound traffic, but you can add exceptions if you are running with local administration rights. Exceptions may be made by port number or application (i.e. allow a certain application to communicate on any port), and constrained by a scope i.e. only allow communication from a certain range of IP addresses. The following examples refers to the firewall in XP - but the principle remains the same in Vista/Windows 7, albeit with more sophisticated features.

Exceptions

There are preset exceptions for Remote Desktop and File and Printer Sharing which you may wish to enable (from the Exceptions tab in the Windows Firewall control panel) to allow Remote Desktop and/or remote file access to your machine.

The Firewall in Action

When a program first listens on a port for unsolicited input, i.e. acts as a server, a window will pop up. Its look will differ depending upon whether you are running with local admin rights or not. For example on running Exceed:

Ordinary User:

Do not worry. Typically the program will work fine as you won't be using its server capabilities.

Local Admin User:

Again, do not worry.

/!\ Do not select the Unblock button unless you are sure it is necessary. In most cases it isn't. Exceed will work fine without being unblocked (using our standard way of initiating connections via Secure Shell as described. The same is true of many other applications. Unless you fully understand the behavior of the application (e.g you wrote it :) ), it is better to leave the application blocked rather than opening up your system unnecessarily. If you discover later that some feature doesn't work then you can reconsider the decision.

/!\ If you do select the Unblock button the default scope of "the internet" is used. You can change this from the Windows Firewall control panel. Select the Exceptions tab, then the program or service you are interested in. Then select Edit then Change scope ....

A modal dialog will appear:

Note the default Any Computer (including those on the Internet) is reasonably safe if you have a private address since it will actually only cover Campus addresses. If you wish to be more restrictive, or your PC has a public address, you should change the default.

Changing the setting from Any Computer to My Network (subnet) only covers either campus private or public addresses depending upon which type of address your machine has, which is not very useful. It is better to enter a custom list as in the following section.

Example Exception Custom Scopes

Use 128.240.148.0/22,10.8.148.0/22 to restrict an exception to Computing Science public and private addresses.

Use 128.240.0.0/16,10.0.0.0/8 to restrict an exception to Campus addresses (note, for File and Printer Sharing leaving the default will restrict you to Campus addresses anyway since these protocols are blocked by the Campus border router).

Group Policy and the Command Line

The firewall is fully configurable by group policy and configurable from the command line. The policy applied at present is to turn on the firewall at start up and allow remote administration from certain machines in Computing Science. If necessary, policy could be applied automatically by central NUIT or Computing Science e.g. to force the firewall on with no exceptions in the event of some malicious virus/worm causing widespread problems.

The firewall may be configured from the command line with the netsh firewall command. The command

netsh firewall show state verbose = ENABLE

will show the firewall settings in gory detail.

Also, the netstat command has a new option -b, which displays the executable involved in creating each connection or listening port which may help when investigating problems with the firewall.