Hack 46 Protect Your Computer with the Internet Connection Firewall


XP's built-in firewall can do more than just provide basic protection. You can also use it to log potential attacks and send information about the intruders to your ISP.

Any time you're connected to the Internet, you're in some danger of intrusion, especially if you have a broadband connection. PCs with broadband connections are tempting targets, because their high-speed connections are ideal springboards for attacking other networks or web sites.

Whenever you're connected, your system is among many constantly being scanned for weaknesses by crackers (malicious hackers) and wannabes (often called script kiddies) sending automated probes looking for vulnerable PCs. In fact, these kinds of probes are so common and incessant, you can think of them as the background radiation of the Internet.

One of the best ways to protect yourself against these probes and more targeted attacks is to use a firewall. Firewall software sits between you and the Internet and acts as a gatekeeper of sorts, only allowing nonmalicious traffic through.

In this hack, we'll look at how to get the most out of the Internet Connection Firewall (ICF), the firewall built into XP.

If you have a home network, your residential gateway may offer firewall protection. For details on how to optimize that protection and get the most out of other gateway features, see [Hack #49].

The ICF offers basic Internet security by stopping all unsolicited inbound traffic and connections to your PC and network, unless your PC or another PC on the network initially makes the request for the connection. It will not, however, block outgoing requests and connections, so you can continue to use the Internet as your normally would for browsing the Web, getting email, using FTP, or similar services.

If you use ICF or another type of firewall, you can run into problems if you run a web server or an FTP server, or if you want to allow Telnet access to your PC. Because firewalls block unsolicited inbound communications, visitors won't be able get to your sites or get Telnet access to your PC. However, you can allow access to these resources, while still retaining firewall protection. To see how, turn to [Hack #50].

If you're sharing an Internet connection through a PC, only the PC that directly accesses the Internet should run ICF. All the other PCs will be protected. Don't run the ICF on any of those other PCs, because you'll cause connection problems. And don't use the ICF with a Virtual Private Network (VPN) connection, because it will interfere with various VPN functions, including file sharing. To set up a VPN, see [Hack #62].

The ICF has one very serious drawback: it won't protect you against Trojans, such as the Back Orifice Trojan. Trojans let other users take complete control of your PC and its resources. For example, someone could use your PC as a launch pad for attacking web sites and it would appear you were the culprit, or he could copy all your files and find out personal information about you, such as your credit card numbers if you store them on your PC.

The ICF won't stop them, because it blocks only incoming traffic and Trojans work by making outbound connections from your PC. To stop Trojans, get a third-party firewall. The best is ZoneAlarm [Hack #48].

Turn on the ICF by right-clicking on My Network Places and choosing Properties. From the Network Connections folder that appears, right-click on the connection you want to use ICF and choose Properties Advanced. In the Advanced tab of the Local Area Connection Properties dialog box, shown in Figure 5-8, check the box next to "Protect my computer and network by limiting and preventing access to this computer from the Internet." Click OK. The firewall is now in place.

Figure 5-8. Enabling the ICF

5.6.1 Track Firewall Activity with an ICF Log

The ICF can do more than just protect you from intruders; it can also keep track of all intrusion attempts, so that you can know whether your PC has been targeted, and what kind of attacks the ICF has turned back. You can then send that information to your ISP, so that it can track down the intruders.

First, create a log of ICF activity. Right-click on My Network Places and choose Properties. In the Network Connections folder, right-click on the connection for which you want to set up an ICF log and choose Properties Advanced Settings Security Logging. The dialog box shown in Figure 5-9 appears.

Figure 5-9. Creating an ICF log

Choose whether to log dropped packets, successful connections, or both. A dropped packet is a packet that the ICF has blocked. A successful connection doesn't mean that an intruder has successfully connected to your PC; it refers to any connection you have made over the Internet, such as to web sites. Because of this, there's usually no reason for you to log successful connections. If you do log them, your log will become large very quickly, and it will be more difficult to track only potentially dangerous activity. So, your best bet is to log only dropped packets.

After you've made your choices, choose a location for the log, set its maximum size, and click OK. I don't let my log get larger than 1MB, but depending on how much you care about disk space and how much you plan to use the log, you may want yours larger or smaller.

The log will be created in a W3C Extended Log format (.log) that you can examine with Notepad or another text editor, or using a log analysis program such as the free AWStats (http://awstats.sourceforge.net). Figure 5-10 shows a log generated by the ICF, examined in NotePad.

Figure 5-10. A log generated by the ICF

Each log entry has a total of up to 16 pieces of information associated with each event, but the most important columns for each entry are the first 8. (In a text editor, the names of the columns don't align over the data, but they will align in a log analyzer.) Table 5-1 describes the most important columns.

Table 5-1. The columns in the ICF log




Date of occurrence, in year-month-date format.


Time of occurrence, in hour:minute:second format.


The operation that was logged by the firewall, such as DROP for dropping a connection, OPEN for opening a connection, and CLOSE for closing a connection.


The protocol used, such as TCP, UDP, or ICMP.

Source IP (src-ip)

The IP address of the computer that started the connection.

Destination IP (dst-ip)

The IP address of the computer to which the connection was attempted.

Source Port (src-port)

The port number on the sending computer from which the connection was attempted.

Destination Port (dst-port)

The port to which the sending computer was trying to make a connection.


The packet size.


Information about TCP control flags in TCP headers.


The TCP sequence of a packet.


The TCP acknowledgement number in the packet.


The TCP window size of the packet.


Information about the ICMP messages.


Information about ICMP messages.


Information about an entry in the log.

The source IP address is the source of the attack. You may notice the same source IP address continually cropping up; if so, you may be targeted by an intruder. It's also possible that the intruder is sending out automated probes to thousands of PCs across the Internet and your PC is not under direct attack. In either case, you can send the log information to your ISP and ask them to follow up by tracking down the source of the attempts. Either forward the entire log or cut and paste the relevant sections to a new file.

5.6.2 Watch Out for Problems with Email and the ICF

Depending on the email program you use and how it gets notification of new email, the ICF could interfere with the way you retrieve your email. It won't stop you from getting your email, but it could disable your email program's notification feature.

The ICF won't interfere with the normal notification feature of Outlook Express, because the initial request asking for notification of new email comes from Outlook Express, inside the firewall. When the server responds to the request, the firewall recognizes that the server is responding to the request from Outlook Express, so it lets the communication pass through.

However, if you use Outlook and connect to a Microsoft Exchange server using a remote procedure call (RPC) to send email notifications (which is usually the case with Exchange), you'll run into problems. That's because the RPC initially comes from the server, not from Outlook, so the firewall doesn't allow the notification to pass to you. In this case, you can still retrieve your email, but you'll have to check for new email manually; you won't be able to get automatic notification from the server. So, if you don't get new mail notifications after you install the ICF, it's not that coworkers, friends, and spammers are suddenly ignoring you; you'll just have to check for new mail manually.

5.6.3 See Also

  • [Hack #51]

  • [Hack #43]