It's sad, but true—there are some not so nice people out there, and that includes Internet abusers who want to wreak havoc on your computer and make your life miserable. While just about everyone on the planet has a good anti–virus program installed these days, this type of protection may not be enough. So, what should your first line of defense be? A firewall can stop invaders from gaining access to your computer. In essence, a firewall provides protection from port scanning and disables access to shared folders, files, and printers, which keeps the bad guys from copying files and programs to your computer that can cause serious problems when executed.

A good rule of thumb is that any computer connected directly to the Internet should also be protected by a firewall. A personal firewall can be your ticket to strong intruder protection and peace of mind.

A good rule of thumb is that any computer connected directly to the Internet should also be protected by a firewall. A personal firewall can be your ticket to strong intruder protection and peace of mind.

And now for the good news! If you are running Microsoft Windows XP Professional or Home Edition, Windows XP Media Center Edition, or Windows XP Tablet PC Edition, you've already got access to a built–in basic firewall. Microsoft Internet Connection Firewall (ICF) is included as a Windows XP networking feature and you should enable it if you need firewall protection. (If you've set up your Internet connection using the wizard and selected a direct or dial–up connection to the Internet, ICF may already be enabled.)

When running Windows XP, ICF opens and closes most ports on the firewall dynamically as you access services but there are a few exceptions. (See the Windows Messenger and ICF section below for details on manually configuring ports to enable file transfer and voice calls). Since Internet Connection Firewall provides inbound protection only, if you have concerns about programs that “phone home” or send outbound data to an unknown destination over the Internet, you may want to consider a third–party firewall.

Who Needs Firewall Protection?

You need protection if you have a direct, dial–up connection to the Internet, a single computer connected to a cable modem, or a single computer connected to a DSL modem. You'll also want to enable a firewall on the Windows XP–based host computer (and only the host computer) that is used for Internet Connection Sharing (ICS). If you're a broadband user with two or more ISP assigned IPs connected through a hub, you'll need to protect each computer individually. An easy rule of thumb—if a computer connects directly to the Internet, it needs protection.

To activate ICF:

1.

Click Start , and then click My Network Places .

2.

Under Network Tasks , click VIEw Network Connections . (Alternatively, you can right–click My Network Places and then click Properties .)

3.

Right–click the connection used for the Internet, and then click Properties .

4.

Click the Advanced tab, and select the Protect my computer and network check box to turn on ICF. (This also makes the Settings button active, allowing you to configure advanced parameters.)

Top of page Windows Messenger and ICF

Most of the time, my computers are connected wirelessly through one of my Network Address Translation (NAT) boxes that is connected to an AT&T Broadband cable modem. I'm waiting for UPnP firmware for these units that will enable Nat traversal so I can use all of the features of programs like Windows Messenger behind them. (Voice and video instant messaging were not working behind these NAT boxes when I wrote this column, but I'm hoping for firmware that will make this possible and when it arrives, I'll share information on the new UPnP NAT capabilities here in the Expert Zone.) When I wish to use the voice and video instant messaging real time communications (RTC) features, I connect a computer directly to my cable modem, and I enable the Internet Connection Firewall for these sessions.

Windows Messenger version 4.0, which ships with Windows XP, as well as the updated Windows Messenger 4.7 that is now available, also include the ability to transfer files. However, by default, ICF blocks file transfer and you will need to manually configure the appropriate ports to open. Here's how it's accomplished:

1.

Click Settings on the Advanced tab of the Properties dialog box for your Internet connection, then click Add .

2.

In the Service Settings window, type a description of the service.

3.

Type the IP address or the computer name.

4.

For Windows Messenger file transfer capabilities, the External and Internal Ports are the same and both are TCP. Use 6891 for both. If you wish to enable simultaneous transfer of up to 10 files, after clicking OK, set up additional ports in the same manner, numbering sequentially through 6900. You'll need 10 service entries total.

Additionally, you will have open Port 6901 for both TCP and UDP to receive incoming computer to computer voice calls and UDP Ports 6801, 6901, 2001–2120 for computer to phone voice calls.

As shown in the image above, I've enabled a single port only for a single file transfer only. The process to open ports to add other services is the same. Settings needed for some of the other more popular programs appear in the table below:

Program TCP ports UDP ports

Incoming Voice (computer to computer)

6901

6901

Voice (computer to phone)

6801, 6901, 2001–2120

AOL Instant Messenger

443, 563

Crimson Skies

28805, 28801, 3040, 1121

Decent 3

1900

1900, 2092

Diablo II

4000

6112

Need for Speed

9442

6112

Napster

6699

6699

NetMeeting

1731, 1720, 1503, 522, 389

Rainbow Six

2346, 2347, 2348

Top of page Security Logging and Trouble Shooting

If you want to examine incoming connection attempts, you can turn on logging from the ICF Advanced Settings tab as well as specify the size of a log file. If you're experiencing connectivity issues and need to trouble shoot your connection, the ICMP tab provides some configuration options for this purpose.

Top of page Some Special Circumstances

VPN Usage : If you're a VPN user and connect to a remote Office, you should not use ICF. Turn it off before you start your VPN session.

File and Print Sharing : Some broadband providers offer connectivity for more than a single computer and supply multiple public routable IPs. In this case, computers are connected to a hub or switch (rather than a router or NAT box) that connects to a cable or DSL modem. Since ICF disables file and print sharing using TCP/IP, you may need an alternative method of sharing files among your own computers. You can install an additional network transport protocol such as IPX/SPX that will enable you to transfer files between your computers. To install IPX/SPX, from the Connection Properties dialog box, select Install , then select Protocol , Add and then NWLink IPX/SPX/NetBIOS Compatible Transport Protocol .

Outgoing Windows Messenger Calls Behind ICF: If you are using Windows XP Professional, ensure you are using an account with administrative privileges; otherwise outbound calls will not work. (Users of Windows XP Home Edition are assigned the proper administrative privileges by default.)

Top of page Who Does Not Need to Enable Internet Connection Firewall?

If a computer is a client computer to an ICS (Internet Connection Sharing) host, do not enable ICF, but be sure you do enable it on the host computer. If a computer is behind a NAT box or router, don't enable ICF, because the inherent properties of NAT will protect you. If you're in an enterprise/corporate environment, don't enable ICF while logged into a domain at work because your IT staff will have proper commercial firewalls in place on the network. In most cases, user policies will prevent you from enabling ICF if you are logged into a domain. If you've logged on at home using cached credentials and enabled ICF, user policies will probably prevent you from using ICF at work, but you will be able to use it at home while not protected by the corporate firewall.

Barb Bowman enjoys sharing her own experiences and insights into today's leading edge technologies. She is a product development manager for AT&T Broadband Internet Services, but her views here are strictly personal.