Service redirection does not apply to Internet Connection Firewall

In Windows XP, the Internet Connection Firewall (ICF) (called Windows Firewall (WF) in Windows XP Service Pack 2 (SP2)) and Internet Connection Sharing (ICS) features share a common interface for configuring services to which Internet users can gain access. With ICS, you can map services to hosts on the internal network, but ICF/WF does not provide this functionality. ICF/WF uses the service information to determine which services to allow through the firewall, but disregards the information that specifies which host should receive traffic for the given service. Therefore, if only ICF/WF is enabled, traffic is allowed for the specified service to pass through the firewall and make a connection to the external interface. If the specified service is not listening on the external interface of the Windows XP ICF/WF host, the connection does not work. If you are trying to redirect a service to an internal host, you must enable ICS.

In the advanced settings of the properties for a network connection, you use the Services tab to configure services for both ICS and ICF/WF. Configuring a service on this tab enables packets for that service to be passed through ICF/WF (if ICF/WF is enabled for the specified network connection). If ICS is also enabled on the connection, the Name or IP address box in the Service Settings dialog box instructs ICS where to send requests for each service that is enabled. The default location is the local computer, but you can redirect requests for the service to a computer on the private network, which is a function of ICS.

With ICS disabled and ICF/WF enabled, you might create a service filter that does not have the intended effect. For example, if you want to redirect all Web traffic from the Internet to an internal host, ICF/WF is enabled on the interface that connects to the Internet, and ICS is disabled, you can specify the name or IP address of an internal host in the Service Settings dialog box. With only ICF/WF enabled, the traffic is allowed through the firewall, but is not redirected to an internal host. In this case, connection attempts from the internet on TCP port 80 are allowed through the firewall, but are directed to the Internet connection of the Windows XP-based host. If no service is listening on TCP port 80 on the Internet-connected interface, the connection does not work. This behavior could be a security risk because ICF/WF is configured to allow packets to pass through, even though the service may not exist. To avoid this security risk, use one of the following methods:

• Enable ICS to allow the service to be redirected to the appropriate internal host.
• Disable service mappings to internal hosts if ICS is disabled.

To enable ICS

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. View the properties for the interface that connects to the Internet.
3. On the Advanced tab, click Settings.
4. In the Internet Connection Sharing section, select the Allow other network users to connect through this computer's Internet connection check box.

To configure service mappings

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. View the properties for the interface that connects to the Internet.
3. On the Advanced tab, ensure that either ICF/WF or ICS is enabled. If neither ICF/WF nor ICS is enabled, the Settings button is unavailable, and any service mappings that are listed are ignored.
4. Click Settings.
   
   Note On a Windows XP SP2 based computer, click Settings in the Internet Connection Sharing section.
5. On the Services tab:
   1. Clear the check box for any services that are not running.
   2. Clear the check box for any services to which Internet users should not be able to gain access.
   3. If ICS is disabled and ICF/WF is enabled, clear the check box for any services that are not running on the Windows XP-based computer and listening on the Internet-connected interface. In other words, do not select the check box for any services that are running only on internal hosts unless ICS is also enabled.
   4. Select the check box only for services to which Internet users should be allowed to gain access.
6. To configure a service to be redirected to an internal host, use the following steps only if ICS is enabled for the connection:
   1. Click the service in the list and make sure its check box is selected.
   2. Click Edit.
   3. In the Name or IP address box, type the name or IP address of the internal host on which the service is running.
      
      It is typically a good idea to use a fully qualified Domain Name System (DNS) name when you specify a name. For Windows XP, ICS uses MSHOME.NET as the domain name. Therefore, if the name of the internal server is SERV1, the fully qualified name is SERV1.MSHOME.NET.
7. Click OK to close the Service Settings dialog box.
8. Click OK to close the Advanced Settings dialog box.
9. Click OK to close the Network Connection Properties dialog box.