What is the trick to get Windows XP firewall to stay on (after

"Colin Barnhorst" wrote:

I use the SP2 firewall.

"Alessandro Crugnola" wrote in message
...
On Mon, 03 Jan 2005 00:39:55 GMT, Rick Wintjen wrote:

Windows Security Expert wrote:
On Sun, 02 Jan 2005 23:28:14 GMT, (Charlie
Hauper) wrote:

In article .com,
"Orak
Listalavostok" wrote:
QUESTION:
What is the trick to get Windows XP firewall to stay on?
Every time I boot it says my firewall isn't on
(even though I use Sygate).
So I turn the Windows firewall on every time manually.

I don't think anyone on this ng uses the windows xp firewall.
Most (if not all) of us use that "other" firewall program.
The one that actually works.
Everyone knows that anything from Microsoft is pure garbage.
The windows xp firewall can't even start up upon reboot.
It's just another (RDB) really dumb program by Microsoft.
The windows firewall is a joke.
Besides not blocking anything, it won't even start up gracefully.
You're the idiot for using Microsoft products in the first place.
What did you expect from Microsoft anyway?



Our Computer Club with 18 systems running WinXP Home SP2 with Windows
Firwall turned on. I have two networked with WinXP Pro SPe with Windows
Firewall turned on.

It's too bad you bash a product because you don't know how to use it.

From "Top 10 Reasons to Deploy Windows XP Service Pack 2"
(http://www.microsoft.com/technet/pro...in/sp2top.mspx):

The new Windows Firewall is on by default and enabled even before the
network starts up, as Windows XP SP2 boots.

With that said, there are still some reasons you might want a more
full-featured firewall – almost no outbound traffic checking is performed,
and all machines on the local subnet are trusted, but if you know anything
about firewalls

"Alessandro Crugnola" wrote:

On Mon, 03 Jan 2005 00:39:55 GMT, Rick Wintjen wrote:

Windows Security Expert wrote:
On Sun, 02 Jan 2005 23:28:14 GMT, (Charlie
Hauper) wrote:

In article .com, "Orak
Listalavostok" wrote:
QUESTION:
What is the trick to get Windows XP firewall to stay on?
Every time I boot it says my firewall isn't on
(even though I use Sygate).
So I turn the Windows firewall on every time manually.

I don't think anyone on this ng uses the windows xp firewall.
Most (if not all) of us use that "other" firewall program.
The one that actually works.
Everyone knows that anything from Microsoft is pure garbage.
The windows xp firewall can't even start up upon reboot.
It's just another (RDB) really dumb program by Microsoft.
The windows firewall is a joke.
Besides not blocking anything, it won't even start up gracefully.
You're the idiot for using Microsoft products in the first place.
What did you expect from Microsoft anyway?

In your example, you refer to an FTP server and an XP machine. If you
initiate an FTP connection from XP to the server, the connection is allowed
whether the box is checked or not and you will in fact receive data from the
server. This inbound traffic was solicited.

By checking the box, would be able to initiate an FTP connection to the XP
box. Of course this would be of limited use if you were not running an FTP
server on the XP box.

The Firewall control panel is explicit in saying that exceptions are
allowing inbound connections. This firewall is not designed to block outbound
connections. I would refer you to the link I mentioned below
(http://www.microsoft.com/technet/pro...in/sp2top.mspx)
where it is clearly stated that almost no outbound checking is done.

In Summary:
I would recommend that you understand the technology you are using and
"testing" before making wild assertions. No one is claiming that this is a
complete solution, but should be used as another layer of protection *if*
desired. Otherwise, feel free to add a product like ZoneAlarm to your
arsenal. But make sure you understand how it works and what protection it
affords you.


"Triffid" wrote:



Lars M. Hansen wrote:

On Mon, 03 Jan 2005 15:31:58 -0500, Triffid spoketh


I understand how FTP works. I mentioned it only as an easily
reproduceable example.

My issue with Windows Firewall is the fact it pops up claiming to have
blocked something, when in reality it has not - clearly misleading behavior.


Please provide examples of unsolicited traffic that the Windows firewall
claims to have blocked but which in fact it has not.

I fail to see the relevance of solicited vs. unsolicited traffic to the
issue I raised.

The firewall permits inbound FTP data connections by default, but does
not display an exception for FTP by default, i.e. there is at least one
invisible "permit" rule built in. The firewall raises a Windows Security
Alert when traffic is permitted by the invisible rule.

The Alert says "Windows Firewall has blocked this program from accepting
connections...", which is misleading because it has in fact permitted
the connection - apparently by design.

The responses to my post suggest people here don't consider this
behavior problematic, but it makes me distrust the software - so I dug a
little deeper to see if my unease is justified. Turns out it is.

I clicked "Unblock" on the Alert window, which added a visible exception
for the Windows FTP client with unlimited scope. This is reasonable
behavior, although it would be nice if the user were prompted for scope
given that the FTP data connection which raised the alert was from a
server on the local subnet.

FTP continues to function after adding the exception, the exception
merely stops the spurious alerts (as expected)

Next I constrained the FTP exception's scope to "Custom list" and
specified a single RFC1918 IP address which is *not* on my local subnet,
i.e. I configured the firewall to permit FTP data connections from one
unreachable IP address *only*.

Guess what?

Active mode FTP still works to all servers, regardless of their IP
address. I then changed the scope to "My network (subnet) only". Same
result, i.e. restricting scope has no effect.

In summary:

- Windows Firewall has a default exception for FTP, with unlimited
scope, but it is not shown on the default exception list.
- Windows Firewall raises spurious FTP alerts unless a visible FTP
exception is added.
- Changes to the FTP exception scope have no effect. Scope is unlimited
regardless of configured scope.

Microsoft has already released a patch to fix exception scope on dialup
connections. Given the above, one wonders how many more invisible
exceptions and broken scope restrictions remain to be discovered.

Triffid