Description of the Windows Firewall feature in Windows XP Service Pack 2 (843090)


The information in this article applies to:

  • Microsoft Windows XP Professional SP2
  • Microsoft Windows XP Home Edition SP2

SUMMARY

This article describes the Windows Firewall feature in Microsoft Windows XP Service Pack 2 (SP2). Windows Firewall is the updated software firewall in Windows XP SP2 that replaces the Internet Connection Firewall (ICF) feature.

MORE INFORMATION

By default, Windows Firewall is turned on for all network interfaces. This helps improve network protection for new Windows XP installations and Windows XP upgrades. Windows Firewall also helps improve protection for new network connections. Windows Firewall lets you add exceptions for programs and services so that they can receive inbound traffic.

To configure Windows Firewall, use Security Center in Control Panel, or open the firewall itself from Control Panel. Windows Firewall has three modes:
  • On (recommended)
  • Off (not recommended)
  • Don't allow exceptions
The General tab provides access to the following configuration options.
  • Don't allow exceptions
  • Exceptions
  • Advanced

Don't allow exceptions

After you select Don't allow exceptions, Windows Firewall blocks all requests to connect to your computer. Blocked requests include requests to connect from programs or services that are listed on the Exceptions tab. Windows Firewall also blocks file and printer sharing and the discovery of network devices.

You may find it useful to use Windows Firewall with no exceptions when you connect to a public network, such as a public network at an airport or hotel. This setting can help protect your computer because it blocks all attempts to connect to your computer. When you use Windows Firewall with no exceptions, you can still view Web pages, send and receive e-mail messages, or use an instant messaging program. You can manually set the Don't allow exceptions mode. However, Windows or a program can also configure this automatically if a security issue is encountered with a service or program that is listening on the computer.

Exceptions

You can add program and port exceptions on the Exceptions tab. This makes it possible for the program or port that you list to receive certain types of inbound traffic.

For each exception, you can set a scope for the exception. For home and small office networks, we recommend that you set the scope to the local network only where you can do this. If you set the scope to the local network only, computers on the same subnet can connect to the program on the computer. However, traffic that originates from a remote network is dropped.

Note To use exceptions in large networks, you may have to add an address in your list of exceptions. You can also use the Any Computer setting if a corporate firewall is in effect. The exception settings specify the set of computers that this port or program is open for. The following lists the settings and a description of the mode of access:
SettingDescription
Any computer (including those on the Internet)The program can communicate with anyone that initiates a connection
My network (subnet) onlyLocal Subnet Only -The program can communicate only with those requests generated on the computers local subnet
Custom listSpecify address based on the mask that is provided.
If you want to add a network, add it with the correct subnet mask. For example, 192.168.100.0/255.255.255.0
If you want to add a single address, use the whole address, and an all 255 subnet mask. For example, 192.168.100.7/255.255.255.255
This indicates to the firewall that all the address represents the network Therefore, only this single IP address will be permitted.

Advanced

By using the Advanced tab for the Windows Firewall properties, you can configure the following settings:
  • Network Connection Settings - This setting configures specific rules that apply to each network interface.
  • Security Logging - This setting configures security logging.
  • ICMP - This setting configures rules that apply to Internet Control Message Protocol (ICMP) traffic and that are used for error and status information transmission.
  • Default settings - This setting can be used to restore Windows Firewall to a default configuration.
Note To do a performance test of a connection, you must stop the firewall service in the management console. To do this, follow these steps:
  1. Right-click My Computer, and then click Manage.
  2. Expand Services and Applications, and then click Services.
  3. In the right pane, right-click Windows Firewall/Internet Connection Sharing (ICS) service, and then click Stop.
  4. To restart the Windows Firewall/Internet Connection Sharing (ICS) service, right-click the service, and then click Start.

REFERENCES

For additional information about Windows Firewall, click the following article numbers to view the articles in the Microsoft Knowledge Base:

842242 Some programs seem to stop working after you install Windows XP Service Pack 2

875357 Troubleshooting Windows Firewall settings in Windows XP Service Pack 2

875353 How to use the Security Alert dialog box in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbSecurity kbpolicy kbFirewall kbinfo kbhowto KB843090
©2004 Microsoft Corporation. All rights reserved.