This article describes the Windows Firewall feature in
Microsoft Windows XP Service Pack 2 (SP2). Windows Firewall is the updated
software firewall in Windows XP SP2 that replaces the Internet Connection
Firewall (ICF) feature.
By default, Windows Firewall is turned on for all network
interfaces. This helps improve network protection for new Windows XP
installations and Windows XP upgrades. Windows Firewall also helps improve
protection for new network connections. Windows Firewall lets you add
exceptions for programs and services so that they can receive inbound traffic.
To configure Windows Firewall, use Security Center in Control Panel,
or open the firewall itself from Control Panel. Windows Firewall has three
- On (recommended)
- Off (not recommended)
- Don't allow exceptions
tab provides access to the
following configuration options.
- Don't allow exceptions
Don't allow exceptions
After you select Don't allow exceptions
Firewall blocks all requests to connect to your computer. Blocked requests
include requests to connect from programs or services that are listed on the
tab. Windows Firewall also blocks file and printer
sharing and the discovery of network devices.
You may find it useful
to use Windows Firewall with no exceptions when you connect to a public
network, such as a public network at an airport or hotel. This setting can help
protect your computer because it blocks all attempts to connect to your
computer. When you use Windows Firewall with no exceptions, you can still view
Web pages, send and receive e-mail messages, or use an instant messaging
program. You can manually set the Don't allow exceptions
However, Windows or a program can also configure this automatically if a
security issue is encountered with a service or program that is listening on
You can add program and port exceptions on the
tab. This makes it possible for the program or port
that you list to receive certain types of inbound traffic.
exception, you can set a scope for the exception. For home and small office
networks, we recommend that you set the scope to the local network only where
you can do this. If you set the scope to the local network only, computers on
the same subnet can connect to the program on the computer. However, traffic
that originates from a remote network is dropped.Note
To use exceptions in large networks, you may have to add an
address in your list of exceptions. You can also use the Any
setting if a corporate firewall is in effect. The exception
settings specify the set of computers that this port or program is open for.
The following lists the settings and a description of the mode of access:
Collapse this tableExpand this table
|Any computer (including those on the
Internet)||The program can communicate with anyone that
initiates a connection|
|My network (subnet) only||Local
Subnet Only -The program can communicate only with those requests generated on
the computers local subnet|
|Custom list||Specify address based on
the mask that is provided.|
If you want to add a network, add it with the
correct subnet mask. For example, 192.168.100.0/255.255.255.0
If you want
to add a single address, use the whole address, and an all 255 subnet mask. For
This indicates to the firewall that
all the address represents the network Therefore, only this single IP address
will be permitted.
By using the Advanced
tab for the Windows
Firewall properties, you can configure the following settings:
- Network Connection Settings - This setting
configures specific rules that apply to each network interface.
- Security Logging - This setting configures
- ICMP - This setting configures rules that
apply to Internet Control Message Protocol (ICMP) traffic and that are used for
error and status information transmission.
- Default settings - This setting can be
used to restore Windows Firewall to a default configuration.
To do a performance test of a connection, you must stop the
firewall service in the management console. To do this, follow these steps:
- Right-click My Computer, and then click
- Expand Services and Applications,
and then click Services.
- In the right pane, right-click Windows
Firewall/Internet Connection Sharing (ICS) service, and then click
- To restart the Windows Firewall/Internet Connection
Sharing (ICS) service, right-click the service, and then click
For additional information about Windows Firewall, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
Some programs seem to stop working after you install Windows XP Service Pack 2
Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
How to use the Security Alert dialog box in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005