Section 10.2. Windows Firewall: All Versions | Windows Vista: The Missing Manual

10.2. Windows Firewall: All Versions

If you have a broadband, always-on connection, you're connected to the Internet 24 hours a day. It's theoretically possible for some cretin to use automated hacking software to flood you with files or take control of your machine. Fortunately, Vista's firewall feature puts up a barrier to such mischief.

The firewall acts as a gatekeeper between you and the Internet. It examines all Internet traffic, and lets through only communications that it knows are safe; all other traffic is turned away at the door.

Tip: Truth is, you may not technically need a software firewall like this. Do you have a router that distributes your Internet signal through the house (page 700)? If so, it probably also has a hardware firewall already protecting your entire network. Still, there's no harm in having both a hardware and software firewall in place.

10.2.1. How It Works

Every kind of electronic message sent to or from your PCinstant messaging, music sharing, file sharing, and so onconducts its business on a specific communications channel, or port . Ports are numbered tunnels for certain kinds of Internet traffic.

The problem with Windows before Vista came along was that Microsoft left all of your ports open for your convenienceand, as it turns out, for the bad guys'.` In Vista (and in Windows XP Service Pack 2), all the ports arrive on your PC closed .

The firewall blocks or permits signals based on a predefined set of rules. They dictate , for example, which programs are permitted to use your network connection, or which ports can be used for communications.

Vista's firewall is a big improvement over the Windows XP firewall, because it protects both inbound and outbound traffic. (The Windows XP firewall handled only inbound traffic.)

You might wonder why you should care about outgoing signals; after all, how can your computer be harmed by sending information to the Internet?

The reason is that some spyware, Trojans, and malicious software "phones home"that is, it lives on your PC without your knowledge, then sends out an invisible note telling the world it's ready to be used to attack your PC. Some may try to attack other computers near itand because computers on a Work or Home network are more trusting of each other, they're running with their defenses down (page 359). A remote intruder can then take control of your computer. (One common trick is to turn your PC into a zombie: basically a spam relay station. Your PC could be pumping out millions of junk-mail messages a day, and you wouldn't even know it.)

In addition, some types of spyware watch everything you do on your PC, and then send that information out to a hacker. The Windows Vista Firewall, however, blocks those outbound connections.

You don't need to do anything to turn on the Windows Firewall. When you turn on Windows Vista, it's already at work. But the Windows Firewall can be turned off. To make sure that it's running properly, choose Control Panel Security Windows Firewall. If its working properly, a green message tells you so. If it's turned off, a red message lets you know. To turn the firewall on and off, click Change settings, and make your selection.

10.2.2. Punching Through the Firewall

The firewall isn't always your friend. It can occasionally block a perfectly harmless program from communicating with the outside worlda chat program, for example.

Fortunately, whenever that happens, Windows lets you know with a message like the one shown in Figure 10-2. Most of the time, you'll know exactly what program it's talking about, because it's a program you just opened yourself . In other words, it's not some rogue spyware on your machine trying to talk to the mother ship. Click Unblock and get on with your life.

Figure 10-2. From time to time, your life with Vista will be interrupted by this message. It's your firewall speaking. It's trying to tell you that a program is trying to get online, as though you didn't know. Most of the time, you can just hit Unblock and get on with your life .

10.2.3. Fine-Tuning the Firewall

If you're willing to root around in a little techie underbrush, you can learn a lot, and perfect the firewall, using Windows Firewall settings (Figure 10-3). Get there by going to Control Panel Security Windows Firewall Change Settings, and then authenticate yourself (page 191). Heres what you can do with each tab:

Figure 10-3. The General screen of the Windows Firewall Settings screen lets you turn the firewall on and off, and even block all Internet access. You'll rarely have any reason to touch the other tabs. But if some program conflicts with the Firewall, head to the Exceptions tab to fix it. The Advanced tab lets you turn the firewall on and off for individual networks to which you connect, such as a home network or a wireless hot spot .

General . Here's where to turn the firewall on and off. You can also completely block all Internet accessfor example, to make absolutely sure that nobody's tapping into your laptop when you're in a wireless coffee shopby turning on "Block all incoming connections."

Tip: Plenty of companies sell more powerful software firewalls (that is, with more geeky options). Never use one at the same time you use the Windows Firewall, however; a troubleshooting nightmare could result. So if you're running a firewall like ZoneAlarm or Norton Personal Firewall, turn off the Windows Firewall. (Most firewall programs do that automatically when you install them, but it's a good idea to check.)
Exceptions . Here's the tab to use if you're having problems with a program being blocked by the Windows Firewall. It lets you tell the Windows Firewall to make an "exception" for a particular program, and let it through.

A checkmark means that this program is allowed through the Windows Firewall. Scroll through and see if the problematic program is on the list. If it is, turn on its checkbox, and then click OK. If it's not on the list, click Add program, find and select the program, and then click OK to add it to the list.

Finally, turn on its checkbox and click OK. It should now work fine with the Windows Firewall.
Advanced . This tab lists all the networks for which the Windows Firewall is providing protection. If you connect to multiple networks, such as at hot spots, home, and so on, they should all be here; the checkmarks indicate which networks are being protected. As a general rule, it's a good idea for the Windows Firewall to protect all your networks.