Windows XP Hacks [Electronic resources] نسخه متنی

Hack 50 Punch an Escape Hole Through Your Firewall

Sometimes firewalls offer too much protection;
they block unsolicited incoming traffic that you want to receive,
such as if you're hosting a web site.
Here's how to open a hole in your firewall to let
only specific incoming traffic through.

Most
firewalls block all unsolicited inbound traffic and connections,
which can be a problem if you're running a web site,
email or FTP server, or other service that requires you to accept
unsolicited inbound packets. But you can punch a hole through your
firewall, to let only that traffic in, while still keeping
potentially dangerous intruders out.

First, decide what kind of unsolicited inbound traffic and
connections you want to let through, and then find out which
ports they use. For example, if you
have a web server, you'll have to allow traffic
through that's bound for port 80. Table 5-2 [Hack #49] lists
common ports; for a complete list, go to http://www.iana.org/assignments/port-numbers.

How you allow traffic through a firewall varies from firewall to
firewall. To do it for XP's built-in Internet Connection
Firewall (ICF), first right-click on My Network Places to open the
Network Connections folder. Then, right-click on the connection for
which you want to enable the incoming services and choose Properties
Advanced Settings. The Advanced Settings dialog
box appears, as shown in Figure 5-19. To enable a
service and allow its incoming traffic through the firewall, put a
check next to it and click OK.

If you haven't enabled ICF, the Settings button will be grayed out, and you won't be able to get to this screen. To find out how to enable ICF, see [Hack #46].

Figure 5-19. Enabling specific incoming services and traffic to bypass XP's ICF

For this screen, you won't have to know the port
numbers for the services whose incoming traffic you want to let
through; you just need to know which service you want to allow. XP
will know to block or unblock the proper port.

If the default settings for the
service you want to allow don't work properly, you
can edit them. Depending on the service, you can change the
service's name or IP address, its description, the
internal and external port numbers the service uses, and whether it
uses the TCP or UDP protocol. For example, if your business uses a
VPN [Hack #62] with a different
port number than the one used by ICF, you can change the port number
ICF uses, so that your VPN will work. Some services include hardcoded
properties that you can't change, while others will
let you edit them. For example the Remote Desktop [Hack #58] can use only
3389 for external and internal ports and TCP as its protocol, and
those can't be edited. But a few of the services,
notably the VPN connections, let you edit the ports and protocol.

To edit the properties for one of the services, select it, choose
Edit, and you'll see the Service Settings screen, as
shown in Figure 5-20.

Figure 5-20. Customizing an inbound service that you want to pass through the ICF

ICF allows you to let in about half-a-dozen services. Table 5-3 describes what each of the default services
does. Note that the entry msmsgs might or might
not show up in your system; Windows Messenger appears if
you've used Windows Messenger or Outlook Express
(which uses some Messenger components). Unlike all the other services
listed, it is enabled by default, so it can already bypass the ICF.
By default, though, all the other services listed in Table 5-3 are disabled.

Just because a service isn't listed in Table 5-3 doesn't mean that you
can't allow its incoming traffic to bypass the ICF.
You can add any service if you know its port information and the name
or IP address of the PC on your network where you want the traffic
routed. For example, to play some instant messenger games
you'll need to allow port 1077 to get through. To
add a new service, get to the Advanced Settings dialog box shown in
Figure 5-19. Then click on the Add button and fill
out the dialog box shown in Figure 5-21.

Figure 5-21. Adding a new service that can bypass the ICF

5.10.1 Fix ICF's Disabling of File Sharing

When you use the ICF and try to
browse to another computer on your network to share its files, you
may get an error message and you won't be able to
connect to those files. That's because the ICF
closes the ports used for file sharing and
server message block (SMB) communications.
(SMB is used by the network to allow file and printer access.) You
also may not be able to browse the Internet through My Network
Places.

To allow file sharing to work across the network and to allow
browsing the Internet through My Network Places, open UDP ports 135
through 139, TCP ports 135 through 139, and TCP and UDP port 445 in
the ICF.

5.10.2 Allow Diagnostic Services to Bypass the Firewall

The Internet Control Message Protocol
(ICMP) enables
troubleshooting and diagnostic
services, such as
ping[Hack #52]. By default,
though, the ICF won't allow incoming ICMP traffic.
You can allow various ICMP-enabled services to pass through your
firewall by clicking on the ICMP tab on the Advanced Settings dialog
box shown in Figure 5-19. From the screen that
appears, shown in Figure 5-22, check the boxes next
to the services you want to allow. To get a description of each
service, highlight it and read about it in the Description area.

Figure 5-22. Using the ICMP tab to allow diagnostic services to bypass the ICF

5.10.3 Punch a Hole Through ZoneAlarm

If you use the ZoneAlarm firewall[Hack #48], you can also
allow specific unsolicited incoming traffic through. Click on the
Firewall button on the left side of the screen, and then click on
Custom for each of your security zones. The Custom Firewall Settings
dialog box appears, as shown in Figure 5-23. Click
on the service you want to allow through, click OK, and
you'll be done.

Figure 5-23. Allowing specific incoming traffic to bypass ZoneAlarm

5.10.4 See Also

[Hack #48]

[Hack #46]