Section 3.4: Enabling and Configuring Internet Connection Firewall

A firewall protects a network against external threats from another network, including the Internet. Firewalls prevent an organization's networked computers from communicating directly with computers that are external to the network and prevent computers external to the network from communicating directly with the computers in the organization's network. All incoming and outgoing communication is routed through a proxy server outside the organization's network. Firewalls also audit network activity, recording the volume of traffic and information about attempts to gain unauthorized access. ICF is firewall software that is used to set restrictions on what information is communicated from your home or small business network to and from the Internet.

To enable and configure ICF:

  • On the Desktop, click MY computer
  • Click VIEW NETWORK connections. Windows XP Professional displays the Network Connections window.
  • Click the dial-up, LAN, or high-speed Internet connection that you want to protect.
  • Under Network Tasks, click change settings of this connection.
  • Click on the advanced tab
  • Select the protect my computer and network by limiting or preventing ACCESS TO THIS COMPUTER FROM THE INTERNET check box.
  • To disable ICF, clear the the protect my computer and network by limiting OR PREVENTING ACCESS TO THIS COMPUTER FROM THE INTERNET check box.
  • To configure ICF click SETTINGS

The Services tab allows you to specify the services running on your network that Itemet users can access. The Security Logging tab allows you to specify whether or not you want to log dropped packets and successful connections. It also allows you to set the size limit and location of the log file. By default, the log file is PFIREWALL.LOG and the size limit is 4096 KB. To enable security logging, select one or both of the following options: Log Dropped Packets and Log Successful Connections. To view the security log file, in the Security tab, click Browse. The ICMP tab allows you to select which requests for information from the Internet this computer will respond to. By default none of these check boxes are selected.

Table 3.1: Configurable ICMP Options

Option Description
Allow Incoming Echo Request Messages sent to the computer will be repeated back to the sender. This option is commonly used for troubleshooting, such as pinging a computer.
Allow Incoming Timestamp Request Data sent to this computer can be acknowledged with a confirmation message indicating the time that the data was received.
Allow Incoming Mask Request This computer will listen for and respond to requests for more information about the public network to which it is attached.
Allow Incoming Router Request This computer will respond to requests for information about the routes it recognizes.
Allow Outgoing Destination Unreachable Data sent over the Internet that fails to reach this computer because of an error will be discarded and acknowledged with a "Destination Unreachable" message explaining the failure.
Allow Outgoing Source Quench When this computer's ability to process incoming data cannot keep up with the rate of a transmission, data will be dropped and the sender will be asked to slow down.
Allow Outgoing Parameter Problem When this computer discards data it has received because of a problematic header, it will reply to the sender with a "Bad Header" error message.
Allow Outgoing Time Exceeded When this computer discards an incomplete data transmission because the entire transmission required more time than allowed, it will reply to the sender with a "Time Expired" message.
Allow Redirect Data sent from this computer will be rerouted if the default path changes.

If you enable any of the ICMP options, your network can become visible to the Internet and vulnerable to attack.

The following are some important ICF considerations:

  • ICF is available in the Windows XP Professional 32-bit edition and the Windows XP Home Edition, but it is not available in the Windows XP Professional 64-bit edition.
  • ICF should be enabled on your shared Internet connection if your network is using ICS to provide Internet access to multiple computers.
  • ICF also protects a single computer that is connected to the Internet with a cable modem, a DSL modem, or a dial-up modem.
  • ICF should not be enabled on VPN connections or on client computers; it will interfere with file and printer sharing.