Hack 50 Punch an Escape Hole Through Your Firewall

figs/moderate.gif figs/hack50.gif

Sometimes firewalls offer too much protection; they block unsolicited incoming traffic that you want to receive, such as if you're hosting a web site. Here's how to open a hole in your firewall to let only specific incoming traffic through .

Most firewalls block all unsolicited inbound traffic and connections, which can be a problem if you're running a web site, email or FTP server, or other service that requires you to accept unsolicited inbound packets. But you can punch a hole through your firewall, to let only that traffic in, while still keeping potentially dangerous intruders out.

First, decide what kind of unsolicited inbound traffic and connections you want to let through, and then find out which ports they use. For example, if you have a web server, you'll have to allow traffic through that's bound for port 80. Table 5-2 [Hack #49] lists common ports; for a complete list, go to http://www.iana.org/assignments/port- numbers .

How you allow traffic through a firewall varies from firewall to firewall. To do it for XP's built-in Internet Connection Firewall (ICF), first right-click on My Network Places to open the Network Connections folder. Then, right-click on the connection for which you want to enable the incoming services and choose Properties Advanced Settings. The Advanced Settings dialog box appears, as shown in Figure 5-19. To enable a service and allow its incoming traffic through the firewall, put a check next to it and click OK.

If you haven't enabled ICF, the Settings button will be grayed out, and you won't be able to get to this screen. To find out how to enable ICF, see [Hack #46].

Figure 5-19. Enabling specific incoming services and traffic to bypass XP's ICF
figs/xph_0519.gif

For this screen, you won't have to know the port numbers for the services whose incoming traffic you want to let through; you just need to know which service you want to allow. XP will know to block or unblock the proper port.

If the default settings for the service you want to allow don't work properly, you can edit them. Depending on the service, you can change the service's name or IP address, its description, the internal and external port numbers the service uses, and whether it uses the TCP or UDP protocol. For example, if your business uses a VPN [Hack #62] with a different port number than the one used by ICF, you can change the port number ICF uses, so that your VPN will work. Some services include hardcoded properties that you can't change, while others will let you edit them. For example the Remote Desktop [Hack #58] can use only 3389 for external and internal ports and TCP as its protocol, and those can't be edited. But a few of the services, notably the VPN connections, let you edit the ports and protocol.

To edit the properties for one of the services, select it, choose Edit, and you'll see the Service Settings screen, as shown in Figure 5-20.

Figure 5-20. Customizing an inbound service that you want to pass through the ICF
figs/xph_0520.gif

ICF allows you to let in about half-a- dozen services. Table 5-3 describes what each of the default services does. Note that the entry msmsgs might or might not show up in your system; Windows Messenger appears if you've used Windows Messenger or Outlook Express (which uses some Messenger components ). Unlike all the other services listed, it is enabled by default, so it can already bypass the ICF. By default, though, all the other services listed in Table 5-3 are disabled.

Table 5-3. Services that can be allowed to bypass the ICF

Service

What it does

FTP Server

Allows others to connect to an FTP server on your PC.

Incoming Connection VPN (L2TP)

Allows for the use of a Virtual Private Network using the L2TP tunneling technology.

Incoming Connection VPN (PPTP)

Allows for the use of a Virtual Private Network using the PPTP tunneling technology.

Internet Mail Access Protocol Version 3 (IMAP3)

Allows others to connect to an IMAP3 email server on your PC to retrieve email.

Internet Mail Access Protocol Version 3 (IMAP4)

Allows others to connect to an IMAP4 email server on your PC to retrieve email.

Internet Mail Server (SMTP)

Allows others to use a Simple Mail Transfer Protocol (SMTP) server on your PC for sending email.

IP Security (IKE)

Allows for the use of the Internet Key Exchange (IKE) security technology.

msmsgs

Allows for the use of Windows Messenger, plus any software that uses its components, such as Outlook Express.

Post-Office Protocol Version 3 (POP3)

Allows others to connect to a POP3 email server on your PC to retrieve email.

Remote Desktop

Allows others to connect to your PC and take control of your desktop using XP Professional's Remote Desktop feature. (Available in XP Professional only.)

Secure Web Server (HTTPS)

Allows other to connect to a web server on your PC that uses the HTTPS security protocol

Telnet Server

Allows others to use a Telnet server on your PC to use your PC's resources.

Web Server (HTTP)

Allows other to connect to a Web server on your PC.

Just because a service isn't listed in Table 5-3 doesn't mean that you can't allow its incoming traffic to bypass the ICF. You can add any service if you know its port information and the name or IP address of the PC on your network where you want the traffic routed. For example, to play some instant messenger games you'll need to allow port 1077 to get through. To add a new service, get to the Advanced Settings dialog box shown in Figure 5-19. Then click on the Add button and fill out the dialog box shown in Figure 5-21.

Figure 5-21. Adding a new service that can bypass the ICF
figs/xph_0521.gif

5.10.1 Fix ICF's Disabling of File Sharing

When you use the ICF and try to browse to another computer on your network to share its files, you may get an error message and you won't be able to connect to those files. That's because the ICF closes the ports used for file sharing and server message block (SMB) communications. (SMB is used by the network to allow file and printer access.) You also may not be able to browse the Internet through My Network Places.

To allow file sharing to work across the network and to allow browsing the Internet through My Network Places, open UDP ports 135 through 139, TCP ports 135 through 139, and TCP and UDP port 445 in the ICF.

5.10.2 Allow Diagnostic Services to Bypass the Firewall

The Internet Control Message Protocol (ICMP) enables troubleshooting and diagnostic services, such as ping [Hack #52]. By default, though, the ICF won't allow incoming ICMP traffic. You can allow various ICMP-enabled services to pass through your firewall by clicking on the ICMP tab on the Advanced Settings dialog box shown in Figure 5-19. From the screen that appears, shown in Figure 5-22, check the boxes next to the services you want to allow. To get a description of each service, highlight it and read about it in the Description area.

Figure 5-22. Using the ICMP tab to allow diagnostic services to bypass the ICF
figs/xph_0522.gif

5.10.3 Punch a Hole Through ZoneAlarm

If you use the ZoneAlarm firewall [Hack #48], you can also allow specific unsolicited incoming traffic through. Click on the Firewall button on the left side of the screen, and then click on Custom for each of your security zones. The Custom Firewall Settings dialog box appears, as shown in Figure 5-23. Click on the service you want to allow through, click OK, and you'll be done.

Figure 5-23. Allowing specific incoming traffic to bypass ZoneAlarm
figs/xph_0523.gif

5.10.4 See Also

  • [Hack #48]

  • [Hack #46]



Windows XP Hacks
Windows XP Hacks, Second Edition
ISBN: 0596009186
EAN: 2147483647
Year: 2005
Pages: 166

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net