Figuring out why using the built-in XP firewall blocks other computers when using Internet Connection sharing; Trying to share PC resources without at least a hub isn’t worth the effort.

By Joe and Ron of Neighborhood Techs

Q. I have two PC’s on my home network. I just installed Windows XP on the Host PC. My other PC is running Windows 98 Second Edition. The problem is that when I enable Internet Connection Firewall (ICF) on the host computer the client computer can no longer connect to certain programs. Can the firewall be configured so that the client works as it did before I enabled ICF?

A. You didn’t mention which applications are giving you problems, so we’ll have to make some generalizations here. The role of the Microsoft Internet Connection Firewall (or any firewall for that matter) in Windows XP is to monitor the traffic that travels in and out of your computer or network. This traffic enters and exits the computer through ports. The firewall can tell what type of traffic is traveling through the network by tracking which port the data is destined for. Some examples of service types and their related port numbers are HTTP, which uses port 80; FTP on port 21 and TELNET on port 23. Any traffic not specifically defined within the firewall is typically blocked to prevent unauthorized access on to your network.

In order for an application to pass data outside of your local network you need to tell the firewall which ports that service is going to be using and allow that data to pass. The Microsoft Internet Connection Firewall can be easily configured to do this by adding a Service to its Services List. The Services List contains information on the service type, the related TCP or UCP ports and the IP address of the host system.

ICF and Internet Connection Sharing (ICS) have some services already predefined so Web traffic and e-mail can be used from the moment ICF is enabled. If the application you want to use hasn’t already been predefined then you’ll need to add its parameters to the Services List. The port used by the application you want to use can be found either in the documentation or by contacting the vendor.

To add a service to the Services List simply open the Control Panel and click on Network Connections. Right-click on the Connection being protected by ICF and select Properties. Next select the Advanced tab and press the Settings button. On the Services tab, click Add and you’ll see the Service Settings dialog box. Here you’ll put the service name, the IP address of the computer hosting the service and the TCP or UCP port numbers the service will use. When finished click OK to update your Services List. Your application should now be useable.

Some applications, like Microsoft NetMeeting for example, use a wide number of ports for moving traffic and can be very difficult to get working behind a firewall. In this type of situation it might be necessary to place an application like this in a Demilitarized Zone (DMZ) which resides outside of your firewall. A system in the DMZ is vulnerable to attack and should not contain any sensitive data. The ICF is a very basic firewall and does not offer this type of support, so you might need to upgrade to a dedicated router with a built in firewall.

Q. I don’t have access to a hub and have three machines in my house. I would like to use all of them on the Net and have the network cards (NICs) to do so, but when I set up ICS it only gives me the option of binding to one of the NICs. Is there a work-around for this? I’ve spent literally hours trying to find an answer.

A. If I’m reading your question correctly, you want to bypass a hub and basically daisy-chain each PC to the other using standard Ethernet network adapters. While this is not impossible to do, it will be very complicated and honestly not worth the aggravation.

To do what you’re looking to do you would need to have one NIC in the first PC, two NICs in the second PC and two NICs in the Host PC. This would mean that the PCs with two NICs would need to be bridged (or multihomed) to allow data to be passed between them. This could be tricky to get working right, particularly if you’re going to be using a firewall to protect your data. ICS and ICF are just simple Internet sharing utilities that don’t offer an abundance of options for custom configurations like this.

My recommendation would be to simply invest in a small 5 port hub which you could probably purchase for around $40 (maybe even less then that on EBay) and devote your energy to other endeavours.