how-to block ads
|
|
Uniqs:
635 |
Share Topic
 |
 |
|
|
|
| how to view the xp inbuilt firewall log file ? can anyone tell me the name of the file which contains the logs of the XP built in firewall ?
i.e. which pings from which site were blocked at what time ?
--
WindowsXP-Pro Proxomitron 4.3 PIII 128MB SDRAM 56K Dialup | | |
|
 Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | WinXP ICF (Internet Connection Firewall) Use the note pad tp view them 
___________________________________________________________
WinXP Internet Connection Firewall
Windows XP's new Internet Connection Firewall feature lets you protect your machine from malicious users on the Internet.
I like to think of myself as being security conscious when
it comes to keeping my small network safe from prying eyes
and mischievous worms. I use a combination of both hardware
and software-based firewalling on my network with excellent
results. To this day I have been fortunate enough to escape
the damaging effects of the recent Trojans and viruses that
have gained notoriety in the press. With the release of
Windows XP, Microsoft has taken a positive step towards
keeping computers safe and secure while connected to the
Internet. Internet Connection Firewall, a new service that
is part of Windows Networking is something you may not have
heard too much about, but is definitely worth taking a look
at.
Internet Connection Firewall is Microsoft's answer to
securing single computers and small networks from the threats
inherent today with usage of the Internet. ICF is directly
related to Internet Connection Sharing, but the two may be
used independently of each other (when used with ICS on the
ICS host it can protect your entire network). What exactly
is a firewall though? What does it do? It's a simple concept
that involves a very complex process. Any device, be it
hardware or software-based, that acts to form a protective
boundary between you (your private network) and the outside
world (the Internet) is a firewall. ICF is a strictly
software-based firewall that acts to restrict what information
is communicated outward from your network and also to and
from the Internet to your network.
ICF is considered a "stateful" firewall. A stateful firewall
is one that monitors all aspects of the communications that
cross its path, and inspects the source and destination
address of each message that it handles. To prevent
unsolicited traffic from the public side of the connection
from entering the private side, ICF keeps a table of all
communications that have originated from the ICF computer.
In the case of a single computer, ICF tracks traffic
originated from the computer. When used in conjunction with
ICS, ICF tracks all traffic originated from the ICF/ICS
computer as well as from private network computers. All
inbound traffic from the Internet is compared against the
entries in the table. Inbound Internet traffic is only
allowed to reach the computers in your network when there
is a matching entry in the table that shows that the
communication exchange began from within your computer or
private network.
Communications that originate from a source outside the ICF
computer, such as the Internet, are dropped by the firewall
unless an entry in the SERVICES tab is made to allow passage.
Rather than sending you notifications about activity, ICF
silently discards unsolicited communications, stopping common
hacking attempts such as port scanning. Such notifications
could be sent frequently enough to become a distraction.
Instead, ICF can create a security log to view the activity
that is tracked by the firewall(1).
Before we can start delving deeper into ICF, there are three
important items that need to be discussed.
1) To configure ICF, you must be logged locally as an
administrator (or with administrative access). Neither Power
Users nor the new security group Network Configuration
Operators have the required privileges to modify ICF settings.
2) You should not enable ICF on the network adapter of a
machine that does not connect directly to the Internet, as it
will interfere with communications between that client and
other clients on your network. (I found this out the hard
way). It is for this reason that the Network Setup Wizard
will not allow ICF to be configured on the private connection
(the NIC that connects to the internal network) of an ICS
configured machine.
3) Certain programs (Outlook 2000 for example) that rely on
RPC messages from a server to the client (for new e-mail
notification, in this case) will not function correctly from
behind ICF. This is because the RPC message originates
unsolicited from outside the private network (at the ISP's
Microsoft Exchange Server in this case), so ICF will not be
able to find a corresponding entry in its routing table and
thus the RPC messages will not be allowed to cross the
firewall boundary. The message will be dropped and the user
will not be notified of new e-mail. You can send and receive
e-mail normally, but you would have to manually check for
new e-mail.
Once you have logged onto your machine with administrative
privileges, you can begin the very simple process of
configuring ICF. To get there, you just let your mouse do
the walking as follows:
START->SETTINGS->NETWORK CONNECTIONS->LOCAL AREA
CONNECTION (as applicable, as you can rename it)->
PROPERTIES->ADVANCED. This will bring you to the
screen shown in Figure 1.
At this point, you have two options. You can either place a
check in the check box next to "Protect my computer..." or
you can start the Network Setup Wizard. The Network Setup
Wizard will not be discussed any further as it is beyond
the scope of this article. With that being said, let's get
down to business and see what ICF is all about.
To start the process of configuring ICF, place a check in
the check box next to "Protect my computer...". After this
is accomplished, click on SETTINGS. This opens a new window
with three tabs: SERVICES, SERCURITY LOGGING and ICMP. Let's
talk a bit about each of the three tabs and what you can do
with them.
If your internal network is running any kind of Internet
accessible services, then the SERVICES tab should definitely
get your attention. The default settings allow for none of
the available services to be enabled; however you can easily
modify this as your situation dictates. If a particular
service that you need to support is not listed, you can
simply add it...provided you can supply the required
information: private IP address of service, external port
number to listen on and internal port number to forward to.
The same criteria also apply if you are going to manually
edit any services. Accurately providing the required
information will enable ICF to route your incoming packets,
preventing them from being dropped upon arrival at the
firewall.
For example, let's say that I have an FTP server and Web
server running on a machine named HUGO on my network that
has a private IP address of 192.168.0.150. A check mark
would need to be placed next to "FTP server" and next to
"Web Server (HTTP)" to enable ICF to listen for and forward
requests for these services to the appropriate machine.
Additionally, I would need to provide the appropriate
information for each service to include the private IP
address, the applicable port numbers to listen on (21 for
FTP and 80 for HTTP) and the port numbers to forward the
information to on HUGO (typically the same as the incoming
port numbers). (See Figure 2)
The SECURITY LOGGING tab deals primarily with what to log,
how much to log and where to keep the log. The default
settings enable a log located either at C:\WINNT\pfirewall.log
(if upgrading from a Windows 2000 Professional or Windows
NT 4.0 installation) or C:\WINDOWS\pfirewall.log (if
upgrading from Windows 9x/Me or performing a clean
installation). The default log size is 4096KB and can be
changed to fit the needs of your situation. By default,
logging is not in effect. You can choose two items to log
as shown in Figure 3.
"Log dropped packets" will often fill your logs up very
quickly, but it is a good way to see exactly what traffic is
trying to get into your system and being stopped by ICF. If
you've attempted to set up services for ICF to route from
the SERVICES tab and provided incorrect information, it will
show up in your log file if you have this option selected.
"Log successful connections" is less important, but you may
still find a need for it. Most of your information concerning
the status of traffic coming into your network will be
gleaned from looking at your logs for dropped packets.
If you want to change the logging location, this can be
accomplished by clicking on BROWSE and navigating to the
location where your log file exists or to the location where
you would like you log files to be created. To enter a
different name for the log file, simply provide this
information in the "File name:" text box and click OPEN.
After you have finished this, you will be brought back to the
ADVANCED SETTINGS window with the log file location updated.
The last tab is ICMP settings. By default, none of the
options are checked. This results in the most secure
configuration possible. It may be useful to enable the first
option, "Allow incoming echo request" as this will enable
the use of the PING command against the interface that ICF
is configured on. Other than changing that setting, the
default settings should be fine for most people. You can
enable the different types of ICMP messages as you require
for your network. (See Figure 4)
Now that we've covered the basics of configuring ICF for
your machine or network, let's look at how well it performs.
At this time, it should be said that no combination of
hardware and/or software firewalling solutions are totally
impervious to the attacks of someone who wants to get through.
With time, all things are possible.
The testing method that I choose to evaluate the effectiveness
of ICF on my test machine was to use the "Probe My Ports"
tool, which is located on the Gibson Research Company website
(»www.grc.com). This test works by attempting to access
your computer through various ports and then reporting back
the results, indicating how successful the port probe was. I
accomplished this test on two different machines, a Windows
2000 Professional client running Signal 9 Conseal PC Firewall
(www.signal9.com) and a Windows XP Professional machine with
ICF enabled, allowing only incoming echo requests. All other
settings on the ICF configuration were left at their default
settings.
It is important to note that a rule was enabled in the
Conseal PC configuration that allows the computer to
acknowledge IDENT requests but provide no answer to them.
This is a default setting of Conseal PC Firewall and was
not changed for this test. Take a look at Figure 5:
The results above are from the Windows XP Professional
machine. As you can see, it is locked down fairly tight,
passing all of GRC's tests with "Stealth" results. This is
very good, since you can't easily infect or damage what you
can't see.
Now, take a look at the Win2K machine results in Figure 6...
The Windows 2000 Professional machine passed all tests with
"Stealth" results as well, except for the IDENT test as
previously discussed. In this case, the computer acknowledges
the existence of this port, but refused any traffic through
the port. Not too bad...it's helped keep me safe for several
years now.
Obviously, this is not a scientific test. It does, however,
give a good estimate of the capabilities of the Internet
Connection Firewall that is built into Windows Networking.
ICF should provide a good solution for small networks
(whether or not they are using ICS) that are connected to
the Internet via a broadband "always-on" connection. When you
think about the fact that most systems have been running with
no protection of any kind for many years now, this is a
colossal step forward for computer security. It is by no
means the end-all solution, nor is it a valid enterprise
solution. However, when it is used as intended, it produces
good results.
This Week's Win2K Guest Columnist
Will Schmied
MCP
»itresources.brainbuzz.com/TechLi···atID=340 | |
Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | Here is the rest of the stuff to drive you crazy 
___________________________________________________________
How to Manually Open Ports in Internet Connection Firewall in Windows XP (Q308127)
SUMMARY
This article contains the steps to manually open ports in Internet Connection Firewall (ICF) in Windows XP.
MORE INFORMATION
Programs may potentially require ports to be manually opened so that they function properly when ICF is in use either on the local computer or on the gateway computer. You may have to use this procedure if there is a service that is running on a computer that has ICF enabled that you want to make available to users on the Internet.
»support.microsoft.com/default.as···;Q308127
Programs Require Manual Port Configurations with Internet Connection Firewall (Q307554)
This article lists some programs that require you to manually open ports so that the programs can work correctly. To work correctly, some programs need to have specific ports open so that traffic can pass through the Internet Connection Firewall.
»support.microsoft.com/default.as···;Q307554 | |
 tupPremium
join:2001-01-15
Port Elgin, ON | reply to trooper1
Re: how to view the xp inbuilt firewall log file ? Do a search for pfirewall.log. Mine is located in C:\Documents and Settings\Username\desktop. Once you locate it, create a shortcut to your desktop and then you can access it easily when needed. | |
| reply to Time Out$
Re: WinXP ICF (Internet Connection Firewall) how do you manage to write such huge posts & find so much info ?
i think it will take me a few hours to digest all that info. It will probably give me indigestion. lol.
thank you for that HUGE help 
--
WindowsXP-Pro Proxomitron 4.3 PIII 128MB SDRAM 56K Dialup
[text was edited by author 2002-06-16 02:00:06] | |
Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | I steal them for even though you only wanted to know this part of what is there...
____________________________________________________________
The SECURITY LOGGING tab deals primarily with what to log,
how much to log and where to keep the log. The default
settings enable a log located either at C:\WINNT\pfirewall.log
(if upgrading from a Windows 2000 Professional or Windows
NT 4.0 installation) or C:\WINDOWS\pfirewall.log (if
upgrading from Windows 9x/Me or performing a clean
installation). The default log size is 4096KB and can be
changed to fit the needs of your situation. By default,
logging is not in effect. You can choose two items to log
as shown in Figure 3.
____________________________________________________________
If you have not set up the ICF after you have installed it...It will still work..but not as it has been designed.
Most people do not know that..or the things they can do with it to protect their system..so it just sets there..with people coming in here and asking...is it enough..can I run it with another firewall like ZA or Kerio.
..and most do not even know what they have in the first place...I guess that is why i post that stuff..and since you do not seem to need it....maybe the next guy/gal will.
Did you set yours up | |
| said by Time Out:
I steal them
_________Most people do not know that..or the things they can do with it to protect their system..so it just sets there..with people coming in here and asking...is it enough..can I run it with another firewall like ZA or Kerio.
..and most do not even know what they have in the first place...I guess that is why i post that stuff..and since you do not seem to need it....maybe the next guy/gal will.
Did you set yours up
lol
i am not complaining .. just was curious how you manage to find such accurate/huge info
yeah, i have set up my ICF.
also, aren't you supposed to be sleeping at this moment ? It must be WELL past midnight in the US ! ;)
--
WindowsXP-Pro Proxomitron 4.3 PIII 128MB SDRAM 56K Dialup | |
Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | You think I am awake// This ia all AI. | |
|
