• IT Services
• Windows Software
• Windows XP Service Pack 2
• Firewall

Windows XP Service Pack 2 Firewall

Overview

Windows XP Service Pack 2 includes an improved firewall that is enabled by default. This will provide increased security for your system but can also prevent normal operation of some software commonly used at Stanford such as PC-Leland and Bigfix. This page will assist you in configuring the Windows Firewall to work with applications that require a port to be opened.

Manually Configuring Windows Firewall

For those who wish to more finely control the ports opened in the firewall you can use the following instructions to manually add an exception in the firewall's configuration:

1. From the Start menu go to the Control Panels and open the Windows Firewall control panel.
   
   
   
   

2. Click on the Exceptions tab.

   

3. Click on the Add Port ... button.
   
   
   
   Enter the appropriate information for the service you are creating the exception. For instance to enable the s/ident service to allow PC-Leland to work with Webauth pages you would enter the following information:

   • Name: s/ident
   • Port number: 113 (TCP)
     
     
   Ports needed for other commonly used applications include:
   
   
   • UDP 52311: Bigfix
   • TCP and UDP 5003: Filemaker
   • TCP and UDP 497: Retrospect
   • TCP 6000: X-Windows
   
   
   
4. Click OK. You should now see the entry you've made appear in the list of Programs and Services.
   
   
   
   
5. Click OK to close the Advanced Settings window and OK again to close the Windows Firewall. The exception you've created will now allow all traffic on this port through the Windows Firewall. To learn how to restrict this traffic according to the originating IP address please see Changing the Scope of Windows Firewall Exceptions.

Configuring Windows Firewall for File and Printer Sharing

You can use the following steps to configure the firewall to allow file and printer sharing for machines on your local network.

1. From the Start menu go to the Control Panels and open the Windows Firewall control panel.
   
   
   
   
2. Click on the Exceptions tab. Select the option for File and Printer Sharing.
   
   
   
   Note: The default for this pre-defined exception is to allow file sharing to machines on your local network. If you are sharing files within your office area or your home network this settings should be sufficient. If you wish to share files across networks on campus please see Changing the Scope of Windows Firewall Exceptions.
   
   
   
3. Click OK to close the Windows Firewall Control Panel.

Changing the Scope of Windows Firewall Exceptions

One of the new features with the Windows Firewall included with SP2 is the ability to allow traffic through the firewall based on the source IP address of that traffic. This section will use the File and Printer Sharing exception to illustrate some of the options available with this feature.

1. Open the Windows Firewall Control Panel and click on the Exceptions tab. Highlight the File and Printer Sharing exception and click Edit.
   
   
   
   
2. Select the first port and click Change Scope.
   
   
   
   
3. The Change Scope window opens and shows you the three options available:
   
   
   
   
   
   • Any Computer (including those on the Internet): This won't restrict traffic for this exception based on IP address at all. This setting is the default for any exception you manually create. In many cases that may be appropriate and sufficiently secure but you should always consider the risks before selecting this option.
     
     
   • My network (subnet) only: This setting will only allow traffic through this exception for machines on your local subnet. If you wish to share files to other machines in your immediate area (within your building on campus or on a home network) this setting is sufficient. This is the default setting for the File and Printer Sharing exception.
     
     
   • Custom list: This option allows you to specify specific IP addresses or ranges of IP addresses that will be allowed to use this exception. If for instance you wanted to share files to another building on campus or perhaps from a campus office network to network in the Stanford residences you could enter the following:
     
     171.64.0.0/14,128.12.0.0/16 (no spaces)
     
     This will allow traffic to only the Stanford network.
     
     
4. When you have made your selection click OK to close the Change Scope window.
   
   Important: If you wanted to adjust the default scope for the File Sharing exception you need to adjust the scope for each of the four ports listed in the Edit a Service window in step 2.
   
   
5. Click OK to close the Windows Firewall Control Panel.