This article describes the Internet Connection Firewall
(ICF) that is included with Microsoft Windows XP Home Edition, Microsoft
Windows XP Professional, Windows XP Home Edition Service Pack 1 (SP1), and
Windows XP Professional SP1. This article does not describe the firewall that
is included in Windows XP SP2.
Description of Internet Connection Firewall
Internet Connection Firewall is software that you can use to set
restrictions on the information that is communicated between your home or small
office network and the Internet.
If your network uses Internet
Connection Sharing to provide Internet access to multiple computers, it is a
good idea to turn on Internet Connection Firewall on the shared Internet
connection. However, you can turn on Internet Connection Sharing and Internet
Connection Firewall separately. It is a good idea to turn on Internet
Connection Firewall on the Internet connection on any Microsoft Windows
XP-based computer that is connected directly to the Internet.
Connection Firewall can also help protect a single computer that is connected
to the Internet. If you have a single computer that is connected to the
Internet with a cable modem, a DSL modem, or a dial-up modem, Internet
Connection Firewall helps protect your Internet connection. Do not turn on
Internet Connection Firewall for virtual private network (VPN) connections
because Internet Connection Firewall interferes with file sharing and other VPN
How Internet Connection Firewall works
Internet Connection Firewall is a "stateful" firewall. A stateful
firewall is one that monitors all aspects of the communications that cross its
path and examines the source and the destination address of each message that
the firewall handles. To prevent unsolicited traffic from the public side of
the connection from entering the private side, Internet Connection Firewall
keeps a table of all the communications that have originated from the computer
that is running Internet Connection Firewall. For a single computer, Internet
Connection Firewall tracks traffic that originates from the computer. If you
use Internet Connection Firewall in conjunction with Internet Connection
Sharing, Internet Connection Firewall tracks all the traffic that originates
from the computer that is running Internet Connection Firewall and Internet
Connection Sharing, and tracks all the traffic that originates from private
network computers. Internet Connection Firewall compares all inbound traffic
from the Internet to the entries in the table. Inbound Internet traffic is
permitted to reach the computers in your network only if there is a matching
entry in the table that shows that the communication exchange began in your
computer or private network.
Communications that originate from a
source outside the computer that is running Internet Connection Firewall, such
as from the Internet, are dropped by the firewall unless you create an entry on
tab to permit passage. Instead of sending you
notifications about activity, Internet Connection Firewall silently discards
unsolicited communications. This stops common hacking attempts such as port
scanning. Such notifications might be sent frequently enough to become a
distraction. Instead, Internet Connection Firewall can create a security log so
that you can view the activity that is tracked by the firewall.
can configure services so that unsolicited traffic from the Internet is
forwarded by the computer that is running Internet Connection Firewall to the
private network. For example, if you are hosting an HTTP Web server service,
and you turned on the HTTP service on your computer, unsolicited HTTP traffic
is forwarded by the computer that is running Internet Connection Firewall to
the HTTP Web server. Internet Connection Firewall requires operational
information (known as a service definition) to permit the unsolicited Internet
traffic to be forwarded to the Web server on your private network.
Internet Connection Firewall considerations
It is not a good idea to turn on Internet Connection Firewall on
any connection that does not directly connect to the Internet. If you turn on
Internet Connection Firewall for the network adapter of a client computer that
is running Internet Connection Sharing, Internet Connection Firewall interferes
with some communications between that computer and all other computers on the
network. For a similar reason, you cannot use the Network Setup Wizard to turn
on Internet Connection Firewall on the Internet Connection Sharing host private
connection. This is the connection that connects the Internet Connection
Sharing host computer with the Internet Connection Sharing client computers.
Turning on a firewall in this location would prevent network communications.
You do not have to use Internet Connection Firewall if your network
already has a firewall or proxy server.
If your network has only one
shared Internet connection, it is a good idea to try to protect the network by
turning on Internet Connection Firewall. Individual client computers may also
have adapters, such as a dial-up or DSL modem that provide individual
connections to the Internet and are vulnerable without firewall protection.
Internet Connection Firewall can check only the communications that cross the
Internet connection where you have turned it on. Because Internet Connection
Firewall works on a per-connection basis, you must enable it on all computers
that have connections to the Internet to help protect your whole network. If
you turned on Internet Connection Firewall on the Internet Connection Sharing
host computer's Internet connection, but a client computer with a direct
Internet connection is not using Internet Connection Firewall for protection,
your network is vulnerable through that unprotected connection.
service definitions that permit services to operate across Internet Connection
Firewall also work on a per-connection basis. If your network has multiple
firewall connections, you must configure service definitions for each Internet
Connection Firewall connection through which you want the service to work.
Internet Connection Firewall and notification messages
Because Internet Connection Firewall examines all incoming
communications, some programs, especially e-mail programs, may behave
differently if you turn on Internet Connection Firewall. Some e-mail programs
periodically poll their e-mail server for new mail. Some e-mail programs wait
for notification from the e-mail server.
Microsoft Outlook Express,
for example, automatically checks for new e-mail messages when a timer tells it
to do so. If new e-mail messages are present, Outlook Express prompts you with
a new e-mail message notification. Internet Connection Firewall does not affect
the behavior of Outlook Express because the request for new e-mail message
notification originates from inside the firewall. Internet Connection Firewall
makes an entry in a table that notes the outbound communication. When a new
e-mail response is acknowledged by the mail server, Internet Connection
Firewall finds an associated entry in the table and permits the communication
to pass. You then receive notification that a new e-mail message has arrived.
Microsoft Outlook 2000 is connected to a Microsoft Exchange-based
server that uses a remote procedure call (RPC) to send new e-mail message
notifications to clients. Outlook 2000 does not automatically look for new
e-mail messages when it is connected to an Exchange-based server. The
Exchange-based server notifies Outlook 2000 when new e-mail messages arrive.
Because the RPC notification is initiated from an Exchange-based server that is
outside the firewall (not by Outlook 2000), Internet Connection Firewall cannot
find a corresponding entry in the table. Internet Connection Firewall does not
permit the RPC messages to cross from the Internet to the home network. The RPC
notification message is dropped. You can send and receive e-mail messages, but
you must manually look for new e-mail.
Advanced Internet Connection Firewall settings
You can use the Internet Connection Firewall security logging
feature to create a security log of firewall activity. Internet Connection
Firewall can log both traffic that is permitted and traffic that is rejected.
For example, by default, incoming echo requests from the Internet are not
permitted by Internet Connection Firewall. If the Internet Control Message
Protocol (ICMP) Allow incoming echo request
setting is not
turned on, the inbound request does not succeed, and a log entry that notes the
unsuccessful inbound attempt is generated.
You can modify the
behavior of Internet Connection Firewall by turning on various ICMP options,
such as Allow incoming echo request
, Allow incoming
, Allow incoming router request
. Brief descriptions of these options appear on
You can set the permitted size of the
security log to prevent an overflow that might be caused by denial-of-service
attacks. Event logging is generated in the Extended Log File Format as
established by the World Wide Web Consortium (W3C).
For additional information about how to turn Internet
Connection Firewall on or off, visit the following Microsoft Web site:
For more information about how to
turn Internet Connection Firewall on or off, click the following article number
to view the article in the Microsoft Knowledge Base:
How to enable or disable Internet
Connection Firewall in Windows XP
For more information about how Internet Connection Firewall can prevent access
to file and printer shares, click the following article number to view the
article in the Microsoft Knowledge Base:
Internet firewalls can prevent browsing and file sharing
For more information, click the
following article number to view the article in the Microsoft Knowledge Base:
Internet Connection Firewall and Basic Firewall do not block Internet
Protocol version 6 traffic
For additional information about the Internet
Connection Firewall security log file, visit the following Microsoft Web site:
For additional information about service definitions, visit the
following Microsoft Web site:
For additional information about ICMP, visit the following
Microsoft Web sites: