[Dshield] Opinons on XP Internet Connection Firewall (ICF) sought

Doug White doug at clickdoug.com
Sun Apr 4 17:59:45 GMT 2004

Download and install the SP-2 (currently beta, but stable) which greatly
improves the ICF and makes it much more configurable.  It has things like
dynamic ports, which keeps ports closed until an application needs it (with
authorization from the user) and then closes it upon termination of the program.
There is much more, of course.

In my case, I still have Zone-Alarm PRO (paid for version) plus two anti-virus
solutions running at the same time, just out of paranoia, I guess.

Stop spam on your domain, Anti-spam solutions
For hosting solutions http://www.clickdoug.com

----- Original Message ----- 
From: "Daniel G. Kluge" <dkluge at acm.org>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Sunday, April 04, 2004 10:48 AM
Subject: [Dshield] Opinons on XP Internet Connection Firewall (ICF) sought

Hello gang,
I got my easter eggs early in the form of a new PC at work, where I
also got a spanking new XP on it and local Admin rights to boot. So I
gave the Internet Connection Firewall (ICF) a try, and after running it
for a few days, I have some questions & comments.

First of all, is there anything which would qualify as documentation,
i.e. something written for people who actually know what they are
doing? There was an article on SecurityFocus[1], which resonates my
sentiment very well:
> ICF is an excellent personal firewall and will prevent most attacks
> from the Internet. However, the lack of granular control makes ICF
> much too restrictive for power users. So, as they say, you can’t live
> with it, you can’t live without it.

I had the deja-vu of my Sonicwall experience: Gets you secure quickly,
but as soon as you want to do something a little bit more complex, the
GUI toy comes to its limits. Don't get me wrong, I really like the
Sonicwalls, though I don't use mine anymore, but they do have their
limitations (hint: there's more to the Internet than TCP, UDP and

Of course I was asking a lot of the firewall, since this is in a
corporate environment, so I had to open quite a few ports to keep it
from bitching (I do log all failed attempts).I then wrote a small
perl-script which throws out all the garbage, and leaves from the 20k
entries in the log about 74 relevant ones, and yes a global corporate
network isn't an entire friendly place.

It seems to me to be very much a toy, like most of o M$ desktop wares.
I'd be much better served by any "basic" *NIX based firewall, but then
again, I do hold an MSCS; most computer users don't.

Does anybody really use that thing? Or do people either use free
personal firewalls or corporate solutions with policy enforcement?
Please note I don't want another thread with "BlackICE vs. Tiny vs. NAI
vs. McAffee" or "M$ is crap, PFWs are snake-oil", just ICF pro/cons
yes/no enlightenment.

Some questions/observations on my side:
- Can you force the thing to release its log-file, or is it only on
size-based rollover? How many files does it keep?
- I see odd packets with my address as the target address being
dropped, I guess its state-keeping isn't too good.
- Without the ability to deny based on source address I can only allow
or deny all NetBIOS traffic, and there is some traffic that I don't
want/need, probably coming from infected machines. Toy.

list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list