Windows Firewall Update

In "Meet Windows Firewall," May 2004, InstantDoc ID 42293, and "Fine-Tuning Windows Firewall," June 2004, InstantDoc ID 42594, I discuss the changes that Service Pack 2 (SP2) brings to Windows XP's built-in firewall. As I noted in those articles, necessary lead times in publishing forced me to work from prerelease versions of SP2, so it was possible that the final product would vary from my descriptions. Unfortunately, I was right: The final SP2 still includes the firewall, but it uses terms and syntax that are different from what I reported. Here's a quick overview of the changes.

Profile names.
You can configure the firewall to behave one way when it's inside your intranet and differently when it's outside on the public Internet. Those two behaviors are called profiles, and the final version of SP2 calls them domain and standard. (Earlier versions called them domain and mobile or corporate and other.) The command line and Group Policy refer to these profiles by the same name, unlike earlier versions. You can ask the firewall which profile it's currently using by typing

netsh firewall show state

at a command line.

On/off modes.
Early versions of SP2 offered three basic operating modes for the firewall: On, Off, and Shielded. On meant that the firewall was enabled, but it let you open particular ports to permit your XP box to, for example, respond to pings, host file and print shares, and allow remote control. Shielded meant that the firewall was enabled, and no incoming ports were enabled. (The notion is that if a worm is attacking your network, you might want to disallow all unsolicited incoming traffic.) The final SP2 GUI, however, recognizes only two operating modes: On and Off. (The command line and Group Policy call these modes Enabled and Disabled.) Instead of a Shielded mode, SP2's firewall calls any opened ports Exceptions and includes the settings Allow exceptions or Disallow exceptions. From the GUI, the command line, or Group Policy, you can create a Shielded mode by turning on the firewall and enabling Disallow exceptions.

Group Policy settings.
Previously, I reported on the nine Group Policy settings that let you control Windows Firewall. SP2's final version includes a few more, bringing the total to 14. But don't worry: They're all self-explanatory.

Command line.
The final version of SP2 includes new command-line syntax and offers a greater degree of control than earlier versions did. (The most significant change is scope control. You can now open a given port only to people in a list of IP addresses. Previously, you could open a port only to the local subnet or the entire Internet.) All commands begin with Netsh Firewall rather than Netsh Firewall Ipv4. The basic command to turn the firewall on or off looks like

netsh firewall set opmode 

where mode and exceptions are either enable or disable, and profile is either domain or standard. Skipping the profile setting sets the firewall's behavior for both profiles, and skipping the exceptions setting leaves exceptions in place. For example, to turn the firewall on while in the standard profile and allow exceptions, you type

netsh firewall set opmode enable
	enable standard

Alternatively, you can add the parameters mode=, exceptions=, and profile=, as in

netsh firewall set opmode mode=enable
	exceptions=enable profile=standard

You can also add an interface= option to assign settings for just one NIC, but in my experience this works only if you don't also try to set exceptions and profile. For example,

netsh firewall set opmode mode=enable
	interface="Local Area Connection"

would turn on the firewall for the NIC named "Local Area Connection."

Space won't permit complete coverage of command lines, but I can give you a few basic useful ones. For example, to enable Ping (i.e., enable all Internet Control Message Protocol—ICMP—echoes), you type

netsh firewall set icmpsetting type 8

To enable Microsoft SQL Server access by opening port 1433 just to the local subnet, you type

netsh firewall add portopening tcp
	1433 sql enable subnet

And to open port 1433 just to the C-class network starting at, the B-class subnet starting at, and the local subnet, you type

netsh firewall add portopening tcp 1433
	sql enable custom,,subnet

As I've said before, SP2 definitely expands your to-do list. But in the end analysis, it's worth it.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.