Hack 50 Punch an Escape Hole Through Your Firewall

Sometimes firewalls offer too much protection; they block unsolicited incoming traffic that you want to receive, such as if you're hosting a web site. Here's how to open a hole in your firewall to let only specific incoming traffic through .

Most firewalls block all unsolicited inbound traffic and connections, which can be a problem if you're running a web site, email or FTP server, or other service that requires you to accept unsolicited inbound packets. But you can punch a hole through your firewall, to let only that traffic in, while still keeping potentially dangerous intruders out.

First, decide what kind of unsolicited inbound traffic and connections you want to let through, and then find out which ports they use. For example, if you have a web server, you'll have to allow traffic through that's bound for port 80. Table 5-2 [Hack #49] lists common ports; for a complete list, go to http://www.iana.org/assignments/port- numbers .

How you allow traffic through a firewall varies from firewall to firewall. To do it for XP's built-in Internet Connection Firewall (ICF), first right-click on My Network Places to open the Network Connections folder. Then, right-click on the connection for which you want to enable the incoming services and choose Properties Advanced Settings. The Advanced Settings dialog box appears, as shown in Figure 5-19. To enable a service and allow its incoming traffic through the firewall, put a check next to it and click OK.

If you haven't enabled ICF, the Settings button will be grayed out, and you won't be able to get to this screen. To find out how to enable ICF, see [Hack #46].

Figure 5-19. Enabling specific incoming services and traffic to bypass XP's ICF

For this screen, you won't have to know the port numbers for the services whose incoming traffic you want to let through; you just need to know which service you want to allow. XP will know to block or unblock the proper port.

If the default settings for the service you want to allow don't work properly, you can edit them. Depending on the service, you can change the service's name or IP address, its description, the internal and external port numbers the service uses, and whether it uses the TCP or UDP protocol. For example, if your business uses a VPN [Hack #62] with a different port number than the one used by ICF, you can change the port number ICF uses, so that your VPN will work. Some services include hardcoded properties that you can't change, while others will let you edit them. For example the Remote Desktop [Hack #58] can use only 3389 for external and internal ports and TCP as its protocol, and those can't be edited. But a few of the services, notably the VPN connections, let you edit the ports and protocol.

To edit the properties for one of the services, select it, choose Edit, and you'll see the Service Settings screen, as shown in Figure 5-20.

Figure 5-20. Customizing an inbound service that you want to pass through the ICF

ICF allows you to let in about half-a- dozen services. Table 5-3 describes what each of the default services does. Note that the entry msmsgs might or might not show up in your system; Windows Messenger appears if you've used Windows Messenger or Outlook Express (which uses some Messenger components ). Unlike all the other services listed, it is enabled by default, so it can already bypass the ICF. By default, though, all the other services listed in Table 5-3 are disabled.

Table 5-3. Services that can be allowed to bypass the ICF

Just because a service isn't listed in Table 5-3 doesn't mean that you can't allow its incoming traffic to bypass the ICF. You can add any service if you know its port information and the name or IP address of the PC on your network where you want the traffic routed. For example, to play some instant messenger games you'll need to allow port 1077 to get through. To add a new service, get to the Advanced Settings dialog box shown in Figure 5-19. Then click on the Add button and fill out the dialog box shown in Figure 5-21.

Figure 5-21. Adding a new service that can bypass the ICF

5.10.1 Fix ICF's Disabling of File Sharing

When you use the ICF and try to browse to another computer on your network to share its files, you may get an error message and you won't be able to connect to those files. That's because the ICF closes the ports used for file sharing and server message block (SMB) communications. (SMB is used by the network to allow file and printer access.) You also may not be able to browse the Internet through My Network Places.

To allow file sharing to work across the network and to allow browsing the Internet through My Network Places, open UDP ports 135 through 139, TCP ports 135 through 139, and TCP and UDP port 445 in the ICF.

5.10.2 Allow Diagnostic Services to Bypass the Firewall

The Internet Control Message Protocol (ICMP) enables troubleshooting and diagnostic services, such as ping [Hack #52]. By default, though, the ICF won't allow incoming ICMP traffic. You can allow various ICMP-enabled services to pass through your firewall by clicking on the ICMP tab on the Advanced Settings dialog box shown in Figure 5-19. From the screen that appears, shown in Figure 5-22, check the boxes next to the services you want to allow. To get a description of each service, highlight it and read about it in the Description area.

Figure 5-22. Using the ICMP tab to allow diagnostic services to bypass the ICF

5.10.3 Punch a Hole Through ZoneAlarm

If you use the ZoneAlarm firewall [Hack #48], you can also allow specific unsolicited incoming traffic through. Click on the Firewall button on the left side of the screen, and then click on Custom for each of your security zones. The Custom Firewall Settings dialog box appears, as shown in Figure 5-23. Click on the service you want to allow through, click OK, and you'll be done.

Figure 5-23. Allowing specific incoming traffic to bypass ZoneAlarm

5.10.4 See Also

• [Hack #48]

• [Hack #46]