Your Personal Firewall Can Either Help or Hinder You

One of the key elements in a layered defense strategy is a personal firewall on each computer. You need to protect each computer on your LAN from hostile Internet traffic, and sometimes, from hostile traffic coming from other computers on your LAN.

Unfortunately, if you don't setup your personal firewall properly, you can have problems.

A misconfigured or misbehaving personal firewall on one or more computers on your LAN can block access to the server, whether local (on your LAN) or remote (on the Internet), that you need to access. If your problems remain even after you configure your personal firewall, then you will need to try deactivating it, or un installing it.

Deactivating a firewall isn't always an effective solution. Many personal firewalls do not react well to being deactivated - you have to either configure them properly, or un install them. Un installation, depending upon the brand, may require intensive work, and may involve more than running a simple script from Control Panel or All Programs - (Name Of Firewall Product).

Once you deactivate or un install the firewall, you are unprotected. If you must deactivate or un install your firewall, only do this temporarily. If you're connected directly to the Internet (which is simply not a recommended setup, even with a personal firewall on the computer), disconnect from the Internet BEFORE doing this. After you get things working, then re install, reactivate, and configure a firewall on each computer, before reconnecting.

Configuring a personal firewall, to enable access to the desired services, may involve changing one or more settings. Please spend some time reading the documentation for the firewall in question. After reading the documentation, check the appropriate settings. For Windows Firewall, see Windows Firewall and Windows Networking.

  • Select the appropriate Protection ("paranoia") level.

  • Make sure that exceptions are permitted.

  • Select a preset exception or rule.

  • Configure the Trusted Zone. Be sure that the router, the DHCP and DNS servers (if separate), and the other computers on the LAN, are all Trusted. Get this wrong, and you could have various symptoms.
    • Not all computers might be visible in Network Neighbourhood.
    • Other computers might be visible, but in the "Internet Zone".
    • Other computers might be visible, but attempting to access some will result in the much feared "Access Denied".
    • Attempting to access any computer, local or Internet, may return the equally disliked "Name not found" or similar error.

  • Open the appropriate ports.

Please don't make the mistake of running two or more personal firewalls. Running more than one firewall will not add protection, it will just cause confusion and system malfunctions. If you're going to run a third party firewall, you must chose one and only one. Make sure that you're aware of all software products on your computer, that could act as a personal firewall.

  • Do you have an antivirus product (and if not, get one immediately!)? Some antivirus products come bundled with personal firewalls. F-Secure Internet Security, McAfee Internet SecuritySuite, and Norton Internet Security, for example, each contain both antivirus and personal firewalls (F-Secure Personal Firewall, McAfee Personal Firewall and Norton Personal Firewall, respectively). A newly installed Microsoft (KB923157): Windows Live OneCare may be an issue here.

  • Even if your antivirus is NOT part of a bundle, it may have a component that acts like a firewall. Some antitrojan, antivirus, and antiworm products can install components that cause these problems. As every security package struggles to keep up with the bad guys, and with competing products, features are constantly being added. Examine any antitrojan / antivirus / antiworm product with suspicion, when researching any otherwise unexplained network problem.
    • Read the manual / owners guide for your security product.
    • Google / Yahoo for your security product name / version. See if there are any reported similar problems.

  • Recent changes to Internet Explorer (likely the September 2007 security updates) have caused changes in the My Network Places (Network in Windows Vista) display, and possibly access problems.

  • The Microsoft AntiVirus / Personal Firewall bundle, Windows OneCare, doesn't operate as seamlessly as Windows Firewall, under Windows Vista. You may have to check the NetBT setting, or open some ports manually, to get Windows Networking to work with OneCare under Vista.

  • Server Message Blocks, or SMBs, are the lifeblood of Windows Networking. Make sure that all firewalls are setup to pass SMBs properly - whether you're using SMBs directly hosted on IP, or SMBs hosted on NetBIOS Over TCP.

  • Do you have a VPN endpoint on the computer? Many VPN endpoints are bundled with personal firewalls.

  • What network card do you have? Does it have an nVidia chipset? The nVidia nForce is probably the first, but surely not the last, device of this type.

  • Is a NAT router in the center of your LAN?
    • Most NAT routers use only a switch, connecting the LAN ports. But look carefully for a "DMZ", "Isolation Mode", "Virtual Server", or "VLAN" setting - either on a single port, or affecting the entire LAN. These options are becoming more popular on NAT routers which emphasise sharing Internet access, and make peer-peer connectivity optional.
    • Did you just change to a different NAT router? If the router changed recently, check the subnet that it creates. If the subnet has changed, all computers on the subnet, with firewalls or other security components that assign trust by IP address, may have to be updated to reflect the new subnet.

Don't get surprised, and waste a lot of time looking for a solution that may be right under your nose - check for a bundled firewall first.

If you're going to run a third party firewall, you must disable Windows Firewall, but only from the appropriate Control Panel applet - do not make the mistake of stopping the Windows Firewall service. The Windows Firewall service breaks several network services, if it is stopped.

Stop Windows Firewall from either the Security Center, or the Windows Firewall, applet. Settings - Control Panel, then either:
  • Security Center, and select Firewall Off.
  • Windows Firewall, and select Off.

Please leave the Windows Firewall / Internet Connection Sharing (ICS) service Started and Automatic, at all times. See Microsoft Threats and Countermeasures Guide: Chapter 7 for more information. Also, see (KB889320): When you disable the Windows Firewall service... for a problem acknowledged by Microsoft with a Hotfix.

On the other hand, if you decide to un install your newly discovered third party firewall, please read and observe precautions.

>> Top


Lantrix said...

Thanks for this. 15 years in IT, worked on WinNT, 2K, XP, W2K3 server and extensive understanding of WINS over TCP and multiple subnets geographically dispersed locations; and of course I was looking at the problem with file sharing over subnets with SMB.

It was the silly XP firewall on the destination XP workstation. Once I read this and turned logging on, there it was in the logs. Dropped TCP packets from the workstation trying to connect to the share.

Plus: I've gone UNIX (Solaris) and Mac now so I'm starting to forget this stuff.

Sometimes too much knowledge stops you seeing the simplest of problems.