Win XP Firewall?

[WizeOne]

I've got a wired network in my house. I run 3 computers directly through the router and 2 other computers thru the router via a switch. The 'master' computer (the one nearest the modem) is one of the ones running thru the switch and is the one that has the two different printers hooked to it.

All the other computers share these printers. If I turn on the XP Firewall, it blocks access to the printers for the other computers.

Is there anyway around this. I'd like to keep the Firewall turned on.

 

[Tim Frank]

Re: Win XP Firewall?

Don't know if this response is too trivial....but....
I have a similar setup, with 4 computers running off a router/modem.
There is no "master" computer, they all seem to have the same hierarchy.

Have you tried running the "master" directly off the router?

Also, my router has its own firewall and if the XP F/W is turned on, the sh** hits the fan....its almost like the two don't get along....and just fight with each other...

 

[bigred69]

Re: Win XP Firewall?

What is the router you are running?

 

[chicknwing]

Re: Win XP Firewall?

Typically if your network is behind a router access from an intruder is just about impossible. The router does not allow access to the computers from the outside. IMO the windows firewall should be disabled and you should rely on your router. Being that you are also behind a switch is another reason to just cut the firewall off.

My system runs 1 wired connection from router to the vonage unit, everything else is wireless, 3 laptops, 2 towers, and a Wii and 3 iphones, all connect to the router, no switch, no firewall, my network is unsecured, I have tried using another puter and my ip address to gain access to my network and I cannot get past my router, Linksys wrt54g.

TC

 

[v1_0]

Re: Win XP Firewall?

I've got a wired network in my house. I run 3 computers through the router and 2 computers thru the router via a switch. The 'master' computer (the one nearest the modem is one of the ones running thru the switch and is the one that has the two different printers hooked to it.

Looks like you are using the 'master' computer as a print server. ("File and print sharing"). This does open up another vulnerability in your network - certainly on the 'master' computer. Hopefully your router has a firewall as well and it's configured to block access attempts coming from outside your home network. If you have a wireless access point you should lock that down too - from the perspective of your firewall/router any computers coming in on your wireless are 'inside' your network. Make sure only your computers can get in, not any 'war drivers'.

All the other computers share these printers. If I turn on the XP Firewall, it blocks access to the printers for the other computers.

I would strongly recommend shutting down the Win XP firewall and getting something better - not hard to do. Zone alarm and Comodo come to mind, they both have a free version.

The problem I have with Win XP firewall is that it asks you if you want to block a program *after* it has already allowed the program to access the internet. If the program happens to be a keystroke logger - your information would have already been sent. It's kinda like asking "should I lock the door to keep the burgler out" *after* the burgler has already come in.

At any rate, I'm not sure how to do this with the Win XP firewall, but with zone alarm and comodo you can declare a certain ip range (a 'zone') as being your home network/a trusted network. Any computers in that network will be allowed to communicate freely. Doing that will tell the firewall to allow the computers to access the printer.

You actually have an 'internal' set of IP addresses and an 'external' one, so make sure you use your internal one. The router should show both of these - there should be one assigned to the router by your modem. That's your external IP address - by which you are known to the internet. Your router/dhcp server would have another IP range, and assign IP addresses to your internal computers as they request it. UNLESS you have hard-coded each of your computer's IP addresses and shut off their DHCP client ("Obtain an IP address automatically" is not selected in the TCP/IP properties).

One thing that might be useful is to start a command prompt on each of the computers and type "ipconfig". This will show you the IP address and Default gateway, amongst other things. The IP address is the IP address of the computer you are on. The Default gateway should be the address of your router. If all of your computers are in the same network, something like 1.2.3.1, 1.2.3.2, 1.2.3.3, etc. then your local network is 1.2.3.*, this can be added as the 'trusted zone'. If your IP addresses vary, then you probably have some/all of them hard coded. Then just add those addresses to the firewall as trusted computers. (Trusted IP addresses).

-V

 

[v1_0]

Re: Win XP Firewall?

Typically if your network is behind a router access from an intruder is just about impossible. The router does not allow access to the computers from the outside. IMO the windows firewall should be disabled and you should rely on your router. Being that you are also behind a switch is another reason to just cut the firewall off.

You are missing a big piece! It is true that the one firewall will protect your network from (most) attacks from the internet. However, that's only half the equasion! You have only secured your network from uninvited attempts to get IN.

The other half is securing your network so that anything trying to get OUT must ask permission. You may wonder: if I'm secure from things getting in, then why should I worry about things getting out, as that should never occur...

Ah, but my wording was chosen carefully: "uninvited" attempts to get in. From the hardware firewall perspective, as soon as you open your web browser (inside) to connect to something on the internet (outside) all further communication on that connection is "INVITED" regardless of direction.

That is how a lot of spyware, trojans, malware, etc. get in. Once one of these gets in - when it opens a connection to the internet (remember, it's now on the inside of your network so the firewall router things its quite OK) it can pull further malware in and send information out. The windows XP firewall, and the others, are an acknowledgement of this sort of thing - and an effort to allow it to be prevented. If you see a program that you don't know trying to access the internet from your computer, then its time to ask questions/do the research before you allow it to go.

The malware people make a living figuring out how to bypass firewalls - mostly by tricking people (ie: the one using the web browser). Sometimes this is knowingly - those fake virus scanners, download this neat piece of software, etc. - and sometimes this is unknowingly by taking advantage of weaknesses in the web browser (yes, firefox also has vulnerabilities - but that is a different conversation).

The concept is "defense in depth" - do not rely on any one defensive method. On the flip side I agree there is no need to duplicate defense - two firewall routers of the same sort do not double your defense. You should at least have the following:

Hardware firewall.
Software firewall on each computer.
Virus scanner on each computer.
Registry monitor on each computer. (spybot-sd "teatimer")
Malware scanner on each computer.
Secured your browsers on each computer.
For normal work, do not run with an administrator priv account.
Make sure each account - especially the administrator ones - require a password. (prevents easy "run as" bypass of security).
Secure your operating system - shut down services that you don't need.
Keep everything up-to-date with the latest upgrades, including your hardware firewall.

And the big one: YOU are part of the system. You can override any of the security knowingly, or be tricked to do so. Practice safe surfing/computer usage habits.

If you have a wireless access point, at least use WEP and if your access point supports it - only allow known MAC computers to access it.

-V

 

[WizeOne]

Re: Win XP Firewall?

What is the router you are running?

A Linksys BEFSR41.

I only called the printer computer the 'master' 'cause it has the printer and it is one of the two compbuters that sit next to the incoming cable, modem, router and switch. True, all the computers are autonomous, they just 'share' the two printers hooked to my main computer.

Here is a picture of the 'master' station in a corner of the living room. The other stations are scattered about the house.

Whew? That is a lot to digest v1. For starters I don't thing any of the computers are hardcoded as I would have the slightest clue how to do that. I will look into zone alarm and see where to enter all the ip's of the various computers. You say just do an ipconfig and if they are all in a sequence, just enter XXX* for the trusted zone? Are these addresses the same as you speak of here:

.......You actually have an 'internal' set of IP addresses and an 'external' one, so make sure you use your internal one. The router should show both of these - there should be one assigned to the router by your modem. That's your external IP address - by which you are known to the internet....

Also, will something like zone alarm coexist with the Avast Anti virus I just downloaded?

EDIT: I just checked the ipconfig for 4 of the computers. They are all abc.def.g.100 thru 103. Will I enter the whole number in the Zone Alarm trusted Addresses? Should I download Zone alarm for all the computers? Would I need to put all the addy's into all the different zone alarms? I don't have any of the computers set up to share with each other, only the others to the 'master' computer.

 

[dolluper]

Re: Win XP Firewall?

You have some work ahead of you....ifin you install zone alarm you will have to train it ....the avast will work smoothly with it but put it on all your computers plus the zone alarm on all of them after the work begins......to get the zone alarm to reconize theavast as friendly do a manual update of the avast on each computer ......zone alarm will ask in this process if you want to allow it or not...even if avast is doing it automatically zone alarm will ask untill it's reconized as trusted could take awhile.....as far as making them trusted you can do it manually also but I forget the process so someone else may guide you

 

[amendegw]

Re: Win XP Firewall?

I've got a wired network in my house. I run 3 computers through the router and 2 computers thru the router via a switch. The 'master' computer (the one nearest the modem is one of the ones running thru the switch and is the one that has the two different printers hooked to it.

All the other computers share these printers. If I turn on the XP Firewall, it blocks access to the printers for the other computers.

Is there anyway around this. I'd like to keep the Firewall turned on.

Did you mark "Printer & File sharing" as an exception on the computer(s) owning the printer?

 

[WizeOne]

Re: Win XP Firewall?

I went and checked that amendegw. Printer and file checking was already checked. When I had the XP firewall on, at least one of the computers on the network did not seem to be able to print, in fact, quite some time later when I turned off the firewall, the printer just up and spit out the attempted print job.

Maybe I should check the status of the exceptions on the other computers?

 

[amendegw]

Re: Win XP Firewall?

Wizeone,

First, it should go without saying that you DO NOT have "Don't Allow Exceptions" checked.

Second, double click the "File and Printer Sharing" exception. It should look like this:

Third, click the "Change Scope" button and make sure "My network only" is checked.

...Jerry

 

[WizeOne]

Re: Win XP Firewall?

amendegw, you take me places I've never gone before, infact, never heard of before.

However, everything was set like you ordered including "Don't Allow Exceptions" being unchecked.

I could do a 'custom list' and enter in the ip's of the computers involved?

You don't think because my 'master' is entering the router via a switch that that has any bearing on the issue?

 

[amendegw]

Re: Win XP Firewall?

amendegw, you take me places I've never gone before, infact, never heard of before.

However, everything was set like you ordered including "Don't Allow Exceptions" being unchecked.

I could do a 'custom list' and enter in the ip's of the computers involved?

You don't think because my 'master' is entering the router via a switch that that has any bearing on the issue?

WizeOne,

You could try a custom list, might work, but I'm not optimistic. You can try it two different ways: "192.168.1.2/255.255.255.0" or "192.168.1.2,192.168.1.3,192.168.1.4[etc.]" This is assuming your routers DHCP is set up to dole out IPs in the 192.168.1.xxx range.

I can't imagine why a switch would have any bearing on the action of the Windows firewall.

You might try turning on the firewall log. Control Panel -> Firewall -> Advanced -> Security Logging -> Settings -> Log dropped packets -> OK

Try your print again and look in c:\windows\pfirewall.log

...Jerry

 

[WizeOne]

Re: Win XP Firewall?

Ok, amendegw. I did just that and yes all my ip's are in the format you described. The 'default gateway' ip is similar but the last number is a single digit unlike the 3 digits of the connected computers.

I will try some prints and post back in a while.

XP Firewall may not be the ideal but v1 0 and dolluper scared me with the complexity of the alternatives. Why, methinks you could make a career out of this stuff and I am getting past the 'teaching the dog new tricks' stage.

 

[amendegw]

Re: Win XP Firewall?

WizeOne,

Thinking about your problem... you do have another option (but it will cost a few bucks).

I'm assuming your switch has an empty port. You could buy a Print Server and connect you printer directly to your local network. Then you could print from any of your computers without having to concern yourself with going thru the windows firewall.

Go to newegg.com or tigerdirect.com and search for "Print Server". Depending how your printer is connected (probably USB??), you can get one for $50 or so.

...Jerry

 

[v1_0]

Re: Win XP Firewall?

Ok, amendegw. I did just that and yes all my ip's are in the format you described. The 'default gateway' ip is similar but the last number is a single digit unlike the 3 digits of the connected computers.

So, the first 3 digits in the IP addresses is your network. Whatever firewall you use, tell it to treat that zone/network/set of IP addresses as trusted.

XP Firewall may not be the ideal but v1 0 and dolluper scared me with the complexity of the alternatives. Why, methinks you could make a career out of this stuff and I am getting past the 'teaching the dog new tricks' stage.

That saying is for people who lack patience. Old dogs can and will learn new tricks.

That said, zone alarm/comodo do have a setup wizard that does a lot of the work for you, so you don't have to go program by program. I would suggest zone alarm. I've found that comodo throws more pop ups at you.

It's a near decision between using windows XP firewall and using no firewall at all. Seems to me it's a standard: "we have a firewall too" statement with the hidden ("Someday, when we get around to it, we'll beef it up and make it actually protect you").

 

[v1_0]

Re: Win XP Firewall?

Also, will something like zone alarm coexist with the Avast Anti virus I just downloaded?

Yes. Zone alarm will ask you if you want to allow this program (Avast) to be able to access the internet. It may ask you if you want to allow it to be a server. If you choose yes (and click on the "remember this") it won't ask you again - unless the program changes (updated). Then repeat (allow/remember) until the next update (of the program, not the data files).

This will be true of any programs that get updates from the internet. Taxcut, Turbotax, Spybot, etc..

EDIT: I just checked the ipconfig for 4 of the computers. They are all abc.def.g.100 thru 103.

Then your home network is abc.def.g.*. [I hope it isn't the default that comes with the router (192.168.1.*), and that you've changed your default admin password (admin), and that you've turned off being able to administer the router from the internet....]

Will I enter the whole number in the Zone Alarm trusted Addresses?

As I recall, the wizard picked up the network...

Ok, call me lazy but here's a couple of links to where people have type up setup instructions on zone alarm:

http://www.markusjansson.net/eza.html

http://www.gnc-web-creations.com/computer-tech-tips.htm

http://www.angelfire.com/grrl/gracie/gzaindex.htm

Should I download Zone alarm for all the computers? Would I need to put all the addy's into all the different zone alarms? I don't have any of the computers set up to share with each other, only the others to the 'master' computer.

I have 3 active comps and they all have either zone alarm (2) or comodo (1) on them. Yes, I they are all configured -there dosn't seem to be a 'image' (create an image on one computer, copy it to the others) in the free version. I suppose you would have to pay for that.. Now and again I share things between computers, so they 'trust' each other at least for http and ftp. I have a network printer - so all I needed to do was plug it into the router and use a set IP address for it. (If you let it get a IP address on startup - you are shooting at a moving target, so I 'hardcoded' the address into it.)

 

[WizeOne]

Re: Win XP Firewall?

..... [I hope it isn't the default that comes with the router (192.168.1.*), and that you've changed your default admin password (admin), and that you've turned off being able to administer the router from the internet.....

v1_0, you have shamed me into going further. the answer to above is;

a) yes they are all the ip addys, I assume, asigned by the router. They were simply the #'s that were shown in the Command prompt 'ipconfig' search.

b) I have no 'admin' password, that I know of. (default or otherwise)

c) I wouldn't have a clue how to administer the router from the internet, so no, I have not turned it off.

Other than the above I have not digested the balance of your post.

 

[v1_0]

Re: Win XP Firewall?

v1_0, you have shamed me into going further. the answer to above is;

a) yes they are all the ip addys, I assume, asigned by the router. They were simply the #'s that were shown in the Command prompt 'ipconfig' search.

b) I have no 'admin' password, that I know of. (default or otherwise)

c) I wouldn't have a clue how to administer the router from the internet, so no, I have not turned it off.

Danger! The default setting for all of these things is well defined - in the manuals that ship with the router, as well as posted on numerous web sites. This default is for ALL the routers of your model, so it is a simple matter to find this information.
Fortunately, the 'script kiddies' don't know / have the sophisitication to use this information. Different companies have different standards - some use the same admin account/password for most of their routers, others vary it by router. The benefit is that it isn't universal, so you'd have to work a list.

Unfortunately you have left your keys to the front door taped to the front door. Anyone actually looking for that sort of thing will find it. I can't say how often that occurs - but I wouldn't rely on security by obscurity..

 

[WizeOne]

Re: Win XP Firewall?

So you are saying that if I weed thru my huge pile of usually undecipherable manuals and am lucky enough to find one for the router, I can change the router's ip addy?

And if I do, will it also change all the addys for the individual computers?