Windows XP SP2 and Firewall

Windows XP SP2 and Firewall

[Alexander Gottwald]

Hi,

With the upcoming Servicepack 2 for Windows XP we will get more
network related bugreports. XP will then enable the built-in firewall
(ICF) by default and the xserver will become unusable from the network
without changes to ICF configuration.

http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx

I propose a new commandline switch "-icf-adjust" which (if possible)
changes the configuration of the firewall to allow incoming traffic 
on port 6000+x and restores the old settings on exit.

I'll do some research on how to change the firewall settings from 
a running program.

Any comments and ideas?

bye
	ago
-- 
 Alexander.Gottwald@s1999.tu-chemnitz.de 
 http://www.gotti.org           ICQ: 126018723
 Chemnitzer Linux-Tag 2004 - 6. und 7. März 2004
 http://www.tu-chemnitz.de/linux/tag

Re: Windows XP SP2 and Firewall

[Alexander Gottwald]

On Tue, 2 Mar 2004, Alexander Gottwald wrote:

> I'll do some research on how to change the firewall settings from 
> a running program.

looks like <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetfwv6mgr_openglobalport.asp>
is what we want. But the header files from the SDK will not work with cygwin. 

@Harold: Where didi you get the ddraw.h file from? Did  you use wine-idl 
to generate it from the idl or did you use the plain wine header?

bye
	ago
-- 
 Alexander.Gottwald@s1999.tu-chemnitz.de 
 http://www.gotti.org           ICQ: 126018723
 Chemnitzer Linux-Tag 2004 - 6. und 7. März 2004
 http://www.tu-chemnitz.de/linux/tag

Re: Windows XP SP2 and Firewall

[Harold L Hunt II]

Alexander Gottwald wrote:

> On Tue, 2 Mar 2004, Alexander Gottwald wrote:
> 
> 
>>I'll do some research on how to change the firewall settings from 
>>a running program.
> 
> 
> looks like <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetfwv6mgr_openglobalport.asp>
> is what we want. But the header files from the SDK will not work with cygwin. 
> 
> @Harold: Where didi you get the ddraw.h file from? Did  you use wine-idl 
> to generate it from the idl or did you use the plain wine header?

I grabbed a version from Wine and (I think) made a few hand 
modifications to it to get it to work.

Harold

Re: Windows XP SP2 and Firewall

[Elliott Wilcoxon]

Perhaps you're looking in the wrong place?  ICF came with WinXP 
originally.  Open a network connection->Properties->Advanced->Checkbox 
for ICF.

Elliott Wilcoxon

Alexander Gottwald wrote:
> On Tue, 2 Mar 2004, Stuart Adamson wrote:

>>Maybe we need a wrapper script when runs "disable firewall", "run X",
>>"enable firewall".  Works well (until the use kills the wrapper script...)
> 
> 
> I'll play with the test program I've written. Maybe this will get an simple 
> commandline interface for configuring ICF. 
> 
> But first I have to find an WinXP with installed ICF anywhere. Win2k did 
> not have it and the plain XP box (no SPs) here hasn't it either.
> 
> bye
> 	ago

RE: Windows XP SP2 and Firewall

[Alexander Gottwald]

On Tue, 2 Mar 2004, Stuart Adamson wrote:

> What happens when X crashes? 

No running service, no vulnerability, no problem. I'm just talking about
opening one single port.

> We *have* to restore the firewall in this case.  

> I *think* we can catch this case using SEH - but we can't compile
> using gcc then...

> Maybe we need a wrapper script when runs "disable firewall", "run X",
> "enable firewall".  Works well (until the use kills the wrapper script...)

I'll play with the test program I've written. Maybe this will get an simple 
commandline interface for configuring ICF. 

But first I have to find an WinXP with installed ICF anywhere. Win2k did 
not have it and the plain XP box (no SPs) here hasn't it either.

bye
	ago
-- 
 Alexander.Gottwald@s1999.tu-chemnitz.de 
 http://www.gotti.org           ICQ: 126018723
 Chemnitzer Linux-Tag 2004 - 6. und 7. März 2004
 http://www.tu-chemnitz.de/linux/tag

Re: Windows XP SP2 and Firewall

[Harold L Hunt II]

Stuart Adamson wrote:

>>I'll do some research on how to change the firewall settings from 
>>a running program.
>>
>>Any comments and ideas?
> 
> 
> What happens when X crashes?  We *have* to restore the firewall in this
> case.  I *think* we can catch this case using SEH - but we can't compile
> using gcc then...

That was not my impression from reading information about XP SP2.

However, I don't think we are going to have to modify anything anyway, 
since the default for the new firewall in SP2 is to allowing incoming 
connections for a few seconds from the remote host after an outbound 
connection has been made to it.  This should work just fine with our 
outbound UDP connection that expects to get a return TCP connection for 
Xdmcp.

Harold

RE: Windows XP SP2 and Firewall

[Stuart Adamson]

> I'll do some research on how to change the firewall settings from 
> a running program.
>
> Any comments and ideas?

What happens when X crashes?  We *have* to restore the firewall in this
case.  I *think* we can catch this case using SEH - but we can't compile
using gcc then...

Maybe we need a wrapper script when runs "disable firewall", "run X",
"enable firewall".  Works well (until the use kills the wrapper script...)


Stuart