Restricting Ports with Internet Connection Firewall

Restricting Ports with Internet Connection Firewall
Windows XP provides the Internet Connection Firewall (ICF) feature to let you control which ports are open to the Internet. If you are also using the Internet Connection Sharing (ICS) feature, you should turn on ICF for the system that is running ICS so that the entire network is protected. If your system has a direct connection to the Internet, you can protect that connection with ICF directly.

For details about configuring Internet Connection Firewall, see Using Internet Connection Firewall in Windows XP.

Restricting Ports Using TCP/IP Filtering
In both Windows XP and Windows 2000, the TCP/IP protocol stack has an option that lets you apply a filter. This capability is limited because it filters only incoming packets and does not allow filtering by IP address. To configure TCP/IP filtering, follow these steps:

In Control Panel, open Network Connections. (In Windows 2000, the Control Panel item is named Network And Dial-Up Connections.)
Right-click the Local Area Network connection and choose Properties.
On the General tab, select Internet Protocol (TCP/IP) and click Properties.
On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
In the Advanced TCP/IP Settings dialog box, click the Options tab.
In the Optional Settings box, select TCP/IP Filtering and then click Properties.
In the TCP/IP Filtering dialog box, shown in Figure 17-2, select Enable TCP/IP Filtering (All Adapters) to enable filtering.

Figure 17-2. Options to restrict TCP/IP traffic are well hidden.
In this dialog box, you'll see the options to restrict traffic for TCP ports, UDP ports, and protocol numbers. For each option, you can permit all ports or protocols or limit the allowed port or protocol numbers to a list that you provide. If you select Permit Only, you then add the port or protocol numbers on which you want to allow incoming connections; all others will be closed. Because the filtering you set here is for incoming packets only, you need to open only the ports that you want other computers to access. For example, if you run a Web server, you need to open port 80 so that anyone wanting to reach your site can do so. You don't need to open port 80 to reach another Web site yourself because outgoing connections you establish are not blocked. Having the option to allow all ports except certain specified ones would often be useful, but that option is not available here.

The IP Protocol filter isn't very effective because nearly all Internet traffic you might want to block selectively comes through TCP, UDP, or ICMP (protocol numbers 6, 17, and 1, respectively).You can't filter out these protocols because they're essential to many services. One notable exception: Microsoft's Point-to-Point Tunneling Protocol (PPTP) uses the Generic Routing Encapsulation (GRE) protocol, number 47. The IANA maintains a complete list of protocol numbers at http://www.iana.org/assignments/protocol-numbers.

In most cases, the TCP/IP Filtering dialog box does not offer enough flexibility to serve as a useful security tool. The most critical limitation is that the filtering applies to all network adapters on the system. In a system acting as an Internet firewall, you typically want to apply more restrictive filters to the Internet connection than you would to the local network connection. If you're looking for a software filter on Windows XP systems, use Internet Connection Firewall instead because it provides much better control over the types and methods of traffic filtering.