The English version of Windows XP Service Pack 2 (SP2), currently published, includes a new Windows Firewall, formerly known as the Internet Connection Firewall (ICF). Windows Firewall is a host-based state firewall that discards all unsolicited incoming traffic, that is, those that do not correspond to the traffic that is sent in response to a request from the computer (the requested traffic), nor to the unsolicited traffic (abnormal traffic) that has been specified as allowed. Windows Firewall provides some level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers on the network.
In Windows XP SP2, firewalls have a number of new features, including:
The default is enabled for all connections to the computer, new global configuration options that apply to all connections, new set of dialog boxes for global configuration, new operating modes, startup security, local network restrictions, and exception traffic can specify built-in support for Internet Protocol version 6th (IPv6) through application file names
New configuration options with Netsh and Group Policy
This article describes in detail the set of dialog boxes that are used to manually configure a new firewall. Unlike ICF in Windows XP (prior to SP2), these configuration dialogs can configure both IPv4 and IPv6 traffic.
The ICF settings in Windows XP (prior to SP2) include a single check box (on the Advanced tab of the connection properties "protect my computer and network by restricting or preventing access to this computer from the Internet" check box) and a Settings button. You can use this button to configure traffic, log settings, and allowed ICMP traffic.
In Windows XP SP2, the check box on the Advanced tab of the connection properties is replaced with a set button that you can use to configure permissions for general settings, programs, and services, settings that are specified for connections, log settings, and allowed ICMP traffic.
The Settings button will run a new Windows Firewall Control Panel program (available in the Network and Internet Connections and Security Center category).
The New Firewall dialog box contains the following tabs:
General "Exception" Advanced "General" tab
On the General tab, you can select the following options:
"Enable (recommended)"
Select this option to enable Windows Firewall for all network connections that are selected on the Advanced tab.
When Windows Firewall is enabled, only incoming traffic for requests and exceptions is allowed. The exception traffic can be configured on the Exceptions tab.
"Do not allow abnormal traffic"
Click this option to allow only incoming traffic that is requested. This will not allow an exception for incoming traffic. The settings on the Exceptions tab are ignored, and all connections are protected, regardless of the settings on the Advanced tab.
Disable
Select this option to disable Windows Firewall. This is not recommended, especially for network connections that can be accessed directly over the Internet.
Note For all connections and newly created connections for computers running Windows XP SP2, the default setting for Windows Firewall is enabled (recommended). This can affect the communication of programs or services that rely on unsolicited incoming traffic. In such cases, you must identify those programs that are no longer working, adding them or their traffic as abnormal traffic. Many programs, such as Internet browsers and e-mail clients (such as Outlook Express), do not rely on unsolicited incoming traffic, and are therefore able to function correctly when Windows Firewall is enabled.
If you are configuring a firewall for a computer running Windows XP SP2 by using Group Policy, the Group Policy settings that you configure may not allow local configuration. In such cases, the options on the General tab and other tabs may be grayed out, and cannot be selected, even by local administrators.
The Group Policy based Windows Firewall settings allow you to configure a domain profile (a set of Windows Firewall settings that will be applied when you connect to a network that contains a domain controller) and a standard configuration file ( A set of Windows Firewall settings that will be applied when you connect to a network such as the Internet that does not contain a domain controller. These configuration dialogs display only the Windows Firewall settings for the currently applied profile. To view the settings for a profile that is not currently applied, you can use the netsh firewall show command. To change the settings for a profile that is not currently applied, you can use the netsh firewall set command.
Exceptions tab
On the Exceptions tab, you can enable or disable an existing program or service, or maintain a list of programs or services that define unusual traffic. When the "do not allow abnormal traffic" option on the General tab is selected, the exception traffic is rejected.
For Windows XP (SP2 version), you can define exception traffic only based on Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports. For Windows XP SP2, you can define exception traffic based on TCP and UDP ports or the file name of a program or service. This configuration flexibility makes it easier to configure abnormal traffic when the TCP or UDP ports of a program or service are unknown or need to be dynamically determined at the start of a program or service.
There is already a set of preconfigured programs and services, including:
File and print sharing, remote assistant (enabled by default), Remote Desktop, UPnP framework, these predefined programs and services cannot be deleted.
If Group Policy allows, you can also create additional exception traffic based on the specified program name by clicking Add Program, and by clicking Add Port to create an exception traffic based on the specified TCP or UDP port.
When you click Add Program, the Add Program dialog box pops up, where you can select a program or browse the file name of a program.
When you click Add Port, the Add Port dialog box pops up, where you can configure a TCP or UDP port.
One of the features of the new Windows Firewall is the ability to define the scope of incoming traffic. The scope defines the network segments that allow abnormal traffic to be initiated. When you define the scope of a program or port, you have two choices:
"Any computer"
Allow exception traffic from any IP address.
"Only My network (subnet)"
Only the exception traffic is allowed from the following IP address, that is, it matches the local network segment (subnet) to which the network connection receiving the traffic is connected. For example, if the IP address of the network connection is configured to 192.168.0.99, and the subnet mask is 255.255.0.0, then the exception traffic allows only IP addresses from 192.168.0.1 to the 192.168.255.254 range.
The address range set for "Just My Network (subnet)" is useful when you want to allow all computers connected to the same subnet on the local home network to access a program or service, but you do not want to allow potentially malicious Internet users to access it.
Once you have added a program or port, it is disabled by default in the Programs and Services list.
All of the programs or services that are enabled on the Exceptions tab are enabled for all connections that are selected on the Advanced tab.
"Advanced" tab
The Advanced tab contains the following options:
Network connection settings, security log, ICMP, default settings
"Network Connection Settings"
In Network connection settings, you can:
1, specify the set of interfaces on which you want to enable Windows Firewall. To enable Windows Firewall, select the check box after the network connection name. To disable Windows Firewall, clear the check box. By default, Windows Firewall is enabled for all network connections. If a network connection does not appear in this list, then it is not a standard network connection. Examples include custom dialer provided by an Internet service provider (ISP).
2. Configure the Advanced configuration for individual network connections by clicking the network connection name, and then clicking Settings.
If you clear all the check boxes in network connection settings, Windows Firewall does not protect your computer, regardless of whether you selected enable (recommended) on the General tab. If you select Do not allow abnormal traffic on the General tab, the settings in Network connection settings will be ignored, and all interfaces will be protected.
When you click Settings, the Advanced Settings dialog box pops up.
On the Advanced Settings dialog box, you can configure specific services (configured only on TCP or UDP ports) on the Services tab, or enable specific types of ICMP traffic on the ICMP tab.
These two tabs are equivalent to the Settings tab of the ICF configuration in Windows XP (SP2 version).
"Security Log"
In the security log, click Settings to specify the configuration of the Windows Firewall log in the Log Settings dialog box.
In the Log Settings dialog box, you can configure whether you want to log discarded packets or successful connections, and specify the name and location of the log file (the default setting is Systemrootpfirewall.log) and its maximum capacity.
"ICMP"
In ICMP, click Settings to specify the allowed ICMP traffic type in the ICMP dialog box.
In the ICMP dialog box, you can enable and disable the type of all incoming ICMP messages that Windows Firewall allows to select on the Advanced tab. ICMP messages are used to diagnose, report error conditions, and configure. By default, no ICMP messages are allowed in this list.
A common step in diagnosing connection problems is to use the Ping tool to verify the address of the computer you are trying to connect to. At the time of validation, you can send an ICMP echo message and then obtain an ICMP echo reply message as a response. By default, Windows Firewall does not allow incoming ICMP echo messages, so the computer cannot send back an ICMP echo reply message as a response. In order to configure Windows Firewall to allow incoming ICMP echo messages, you must enable the Allow incoming echo request setting.
"Default Settings"
Click Restore default settings to reset Windows Firewall back to its initial installation state.
When you click Restore default settings, you are prompted to verify your decision before Windows Firewall settings change