Opening up multiple ports in the XP built-in firewall

[Joma]

Hi,

1. I'm trying to use a P2P application that requires the firewall to open up
ports 1024-65535 in the outgoing direction. How may I do this? Add thousands
of entries manually?

2. How do I set up the same as in #1 but for incoming ports?

3. How can enable UDP replies to come in to the computer? (Perhaps enabled
regardless of firewall setting?)

PS. Perhaps it's not too good to open up that many ports in a firewall (not
too surprising, eh? ;-). What should I be most wary of, opening that many
*incoming* ports or that many *outgoing* ports?

thank you!

 

[Doug Kanter]

With that many ports open, why not just shut down the firewall? What
kind of app needs that sort of access?

 

[Chuck]

Hi,

1. I'm trying to use a P2P application that requires the firewall to open up
ports 1024-65535 in the outgoing direction. How may I do this? Add thousands
of entries manually?

2. How do I set up the same as in #1 but for incoming ports?

3. How can enable UDP replies to come in to the computer? (Perhaps enabled
regardless of firewall setting?)

PS. Perhaps it's not too good to open up that many ports in a firewall (not
too surprising, eh? ;-). What should I be most wary of, opening that many
*incoming* ports or that many *outgoing* ports?

thank you!

Joma,

1. ICF doesn't filter outgoing packets.

2. You enable, and configure, ICF on a per connection basis. From
the Properties wizard for the network connection that you are using
for your internet, the Advanced tab, then the Settings button, and
finally the Add button takes you to the wizard where you can add
custom port numbers to the incoming filter.

3. Same port replies are automatically permitted by the firewall, as
examined statefully. If you're talking about port triggering, or UPnP
forwarding, you might want to look at another firewall.

4. Since there's no filtering of outgoing packets, that's not an
issue. For incoming, if your application requires port triggering, or
UPnP forwarding, as I said, you might want to look at other solutions.
Further research in comp.security.firewalls might be a good idea.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Mangus]

Joma,

1. ICF doesn't filter outgoing packets.

2. You enable, and configure, ICF on a per connection basis. From
the Properties wizard for the network connection that you are using
for your internet, the Advanced tab, then the Settings button, and
finally the Add button takes you to the wizard where you can add
custom port numbers to the incoming filter.

Hmm, I can't seem to activate any wizard there.. In the "Network
Connections" dialog, I right-click my connection and select "Properties".
Then I select the "Advanced"-tab and click on "Settings". The "Add.."-button
there brings up another dialog but the fields therein aren't made to take
multiple ports or port ranges.

 

[Mangus]

More and more apps it seems.. check these:

ICQ: (http://www.icq.com/icqtour/firewall/netadmin.html)

Client to client communication:

a.. Client to client connection is done using the TCP protocol, using port
range 1024-65535. This means that the client needs an open listening port
within the mentioned range-- 1024-65535.
Skype:

The Minimum requirement is that Skype needs unrestricted outgoing TCP access
to all destination ports above 1024 or to port 80 (the former is better,
however). If you don't allow either of those, Skype will not work reliably
at all. Voice quality and some other aspects of Skype functionality will be
greatly improved if you also open up outgoing UDP traffic to all ports above
1024, and allow UDP replies to come back in.

 

[Chuck]

Hmm, I can't seem to activate any wizard there.. In the "Network
Connections" dialog, I right-click my connection and select "Properties".
Then I select the "Advanced"-tab and click on "Settings". The "Add.."-button
there brings up another dialog but the fields therein aren't made to take
multiple ports or port ranges.

I think you're right. ICF lets you add the Well Known and Registered
ports, but it's not intended for customisation WRT Dynamic ports. At
least large ranges of same (which is what you need when dealing with
services that use Dynamic ports).

http://www.iana.org/assignments/port-numbers

Microsoft was never accused of making their products as user friendly
and thoughtful as the third party companies that they try to later
take market share from.

This is where third party software is recommended. Further discussion
in comp.security.firewalls.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Jason]

Run a program (ZoneAlam/NIS) instead of ICF. That way you can specify the
program that is allowed to use those ports.