Hack 80. Punch an Escape Hole Through Your Firewall
Sometimes, firewalls offer too much protection; they block unsolicited incoming traffic that you want to receive, such as if you're hosting a web site. Here's how to open a hole in your firewall to let only specific incoming traffic through.
Most firewalls block all unsolicited inbound traffic and connections, which can be a problem if you're running a web site, email or FTP server, or other service that requires you to accept unsolicited inbound packets. But you can punch a hole through your firewall to let only that traffic in, while still keeping potentially dangerous intruders out.
First, decide what kind of unsolicited inbound traffic and connections you want to let through, and then find out which ports they use. For example, if you have a web server, you'll have to allow traffic through that's bound for port 80. Table 5-1 lists common ports; for a complete list, go to http://www.iana.org/assignments/port-numbers.
How you allow traffic through a firewall varies from firewall to firewall. To do it for XP's built-in Windows Firewall, from the Control Panel choose Security Center. (If a Security Center icon shows in the system tray, you can instead click that icon.) Then, click the Windows Firewall icon at the bottom of the screen. Click the Exceptions tab. The Windows Firewall Exceptions dialog box appears, as shown in Figure 8-20. To enable a service and allow its incoming traffic through the firewall, put a check next to the service you want to allow through and click OK.
Figure 8-20. Enabling specific incoming services and traffic to bypass XP's Windows Firewall
For this screen, you won't have to know the port numbers for the services whose incoming traffic you want to let through; you just need to know which service you want to allow. XP will know to block or unblock the proper port.
You can easily add a new program to the Exceptions list to let it pass through the firewall [Hack #77] .
In addition to programs that you allow through the firewall, you might also want to allow services through. For example, if you're running a web server, FTP server, or other server, or you have a VPN [Hack #82] that you want to allow others to use, you'll have to tell the firewall to let those requests through.
From the Control Panel, choose Security Center and click the Windows Firewall icon at the bottom of the screen. Click the Advanced tab, highlight the connection for which you want to allow the service through, and click Settings. Now, select the service you want to allow to pass through, as shown in Figure 8-21, and click OK and then OK again. That service will now be able to bypass the Windows Firewall for the connection you had selected. If you want to allow it for other connections, from the Advanced tab select a different connection and repeat the steps.
Figure 8-21. Choosing to let a service bypass the Windows Firewall
There's a chance the default settings for the services you want to allow don't work properly. If that's the case, you can edit them. Depending on the service, you can change the service's name or IP address, its description, the internal and external port numbers the service uses, and whether it uses the TCP or UDP protocol. For example, if your business uses a VPN with a different port number than the one used by the Windows Firewall, you can change the port number the Windows Firewall uses so that your VPN will work. Some services include hardcoded properties that you can't change, while others will let you edit them. For example, the Remote Desktop can use only 3389 for external and internal ports and TCP as its protocol, and those can't be edited. But a few of the services, notably the VPN connections, let you edit the ports and protocol.
To edit the properties for one of the services, select it and choose Edit, and you'll see the Service Settings screen, as shown in Figure 8-22.
Figure 8-22. Customizing an inbound service that you want to pass through the Windows Firewall
This process lets you select from a number of services that you want to bypass the Windows Firewall. Table 8-4 describes what each service does. Note that the entry msmsgs might or might not show up in your system; Windows Messenger appears if you've used Windows Messenger or Outlook Express (which uses some Messenger components). Unlike all the other services listed, it is enabled by default, so it can already bypass the Windows Firewall.
Just because a service isn't listed in Table 5-1 doesn't mean you can't allow its incoming traffic to bypass the Windows Firewall. You can add any service if you know its port information and the name or IP address of the PC on your network where you want the traffic routed. For example, to play some instant messenger games, you'll need to allow port 1077 to get through. To add a new service, get to the Advanced Settings dialog box shown in Figure 8-21. Then click the Add button and fill out the dialog box shown in Figure 8-23.
Figure 8-23. Adding a new service that can bypass the Windows Firewall
8.7.1. Fix the Windows Firewall's Disabling of File Sharing
When you use the Windows Firewall and try to browse to another computer on your network to share its files, you might get an error message and you won't be able to connect to those files. That's because the Windows Firewall closes the ports used for file sharing and server message block (SMB) communications. (SMB is used by the network to allow file and printer access.) You also might not be able to browse the Internet through My Network Places.
To allow file sharing to work across the network and to allow browsing the Internet through My Network Places, open UDP ports 135 through 139, TCP ports 135 through 139, and TCP and UDP port 445 in the Windows Firewall.
8.7.2. Allow Diagnostic Services to Bypass the Firewall
The Internet Control Message Protocol (ICMP) enables troubleshooting and diagnostic services, such as ping Troubleshoot Network Connections with ping, TRacert, and pathping. By default, though, the Windows Firewall won't allow incoming ICMP traffic. You can allow various ICMP-enabled services to pass through your firewall by clicking the ICMP tab on the Advanced Settings dialog box shown in Figure 8-21. From the screen that appears, shown in Figure 8-24, check the boxes next to the services you want to allow. To get a description of each service, highlight it and read about it in the Description area.
Figure 8-24. Using the ICMP tab to allow diagnostic services to bypass the Windows Firewall
8.7.3. Punch a Hole Through ZoneAlarm
If you use the ZoneAlarm firewall, [Hack #]id(77050)" xml:link="simple" show="replace" actuate="user" >you can also allow specific unsolicited incoming traffic through. Click Firewall on the left side of the screen, and then click Custom for each of your security zones. The Custom Firewall Settings dialog box appears, as shown in Figure 8-25. Click the service you want to allow through, click OK, and you'll be done.
Figure 8-25. Allowing specific incoming traffic to bypass ZoneAlarm
8.7.4. See Also