When an application or service does not work because the Windows Firewall is blocking unsolicited incoming traffic, the solution is not to disable Windows Firewall, but to configure Windows Firewall exceptions so that the blocked traffic is allowed. Disabling Windows Firewall leaves your computer vulnerable to malicious users and programs and is not recommended, unless you are using a third party firewall product.
As described in the "Internet Users Cannot Access My Game, Web, or Other Server" section of this article, applications that listen on ports cause Windows Firewall to prompt the user with a notification. Depending on the selection in the Windows Security Alert dialog box, the application is added to the exceptions list on the Exceptions tab but the traffic is blocked (the Keep Blocking option), added to the exceptions list and allowed (the Unblock option), or not added to the list and blocked (the Ask Me Later option). If you select Keep Blocking, you must enable the application from the Exceptions tab of the Windows Firewall component of Control Panel. Applications can also configure exceptions using the Windows Firewall APIs and you can also manually configure exceptions.
Windows services, unlike applications, do not use the notification feature of Windows Firewall to attempt to automatically configure and enable an exception. Exceptions for Windows services must either be configured by the service using the Windows Firewall APIs or through manually configured program- or port-based exceptions. If the service runs from an executable file (such as an *.exe file), then you can configure a program-based exception. If the service is hosted by another service, such as Svchost.exe, then you must configure port-based exceptions.
If a service needs to be configured for port-based exceptions or ICMP messages, to determine the TCP ports, UDP ports, or ICMP messages that are used by a Windows service, check the documentation for the service or its Web site. Based on the documentation, configure the appropriate port and ICMP message exceptions. If there is no documentation about the TCP ports, UDP ports, or ICMP messages that the service uses, use the following methodology:
From the Advanced tab of the Windows Firewall component of Control Panel, click Settings in the Security Logging section and enable the Log dropped packets option. Click OK to save logging settings and then click OK to close the Windows Firewall component of Control Panel.
From another client computer, note the computer's IP address and attempt to communicate using the client or peer application to the computer on which the Windows Firewall is running with logging enabled. For example, if the server computer is running an email server, then run the appropriate email client program on the client computer.
After the client program on the client computer has failed, go to the server computer and use Windows Explorer to view the contents of the Pfirewall.log file that is stored in your main Windows installation folder.
From the most recent entries on the Pfirewall.log file, look for entries for packets that were dropped with an IP address that matches the IP address of the client computer. From these matching entries, look at the "dst-port" portion of the entry. These are the TCP or UDP ports that need to be configured as port-based exceptions. For ICMP traffic, look at the "icmptype" and "icmpcode" portions of the entry and check the ICMP Parameters Web page for the name of the ICMP message.
Another way to determine the port numbers used by a service is to use audit logging with the following procedure:
Enable audit logging as described in the "Windows Firewall Troubleshooting Tools" section of this article.
Restart your computer. Many services are set for automatic startup. By restarting, you ensure that you can audit your service startup process.
Use the Services snap-in, as described in the "Windows Firewall Troubleshooting Tools" section of this article, to ensure that your service has started.
Use the Event Viewer snap-in, as described in the "Windows Firewall Troubleshooting Tools" section of this article, to look for Failure Audit events in the security event log with an event ID of 861. These events are for applications or services that listen on TCP or UDP ports, but whose traffic was not allowed by Windows Firewall. The text of the error message contains the file path and name of the requestor, the process identifier, whether the requestor is a program or service, and the TCP or UDP port number.
If you can identify the program or service from the information in the Failure Audit event, then use the TCP or UDP port in the event text and configure a port-based exception. Do this for all the ports needed by the program or service.
In some cases, services are run as part of a larger process that hosts multiple services, such as the process named Svchost.exe. In this case, you must use the netstat –abn command to list all of the ports that are being listened to. From the list of components (listed by file name), you can determine the port on which a specific service is listening.
The following is an example of using the netstat –abn command:
F:\>netstat -abn
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 892
f:\xp_pro\system32\WS2_32.dll
F:\XP_PRO\system32\RPCRT4.dll
f:\xp_pro\system32\rpcss.dll
F:\XP_PRO\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 1888
[alg.exe]
TCP 131.107.81.167:139 0.0.0.0:0 LISTENING 4
[System]
UDP 0.0.0.0:500 *:* 688
[lsass.exe]
UDP 0.0.0.0:445 *:* 4
[System]
UDP 0.0.0.0:4500 *:* 688
[lsass.exe]
UDP 127.0.0.1:1900 *:* 1144
f:\xp_pro\system32\WS2_32.dll
f:\xp_pro\system32\ssdpsrv.dll
F:\XP_PRO\system32\ADVAPI32.dll
F:\XP_PRO\system32\kernel32.dll
[svchost.exe]
UDP 127.0.0.1:1025 *:* 980
f:\xp_pro\system32\WS2_32.dll
F:\XP_PRO\system32\WLDAP32.dll
F:\XP_PRO\System32\winrnr.dll
f:\xp_pro\system32\WS2_32.dll
f:\xp_pro\system32\w32time.dll
[svchost.exe]
UDP 131.107.81.167:137 *:* 4
[System]
UDP 131.107.81.167:1900 *:* 1144
f:\xp_pro\system32\WS2_32.dll
f:\xp_pro\system32\ssdpsrv.dll
F:\XP_PRO\system32\ADVAPI32.dll
F:\XP_PRO\system32\kernel32.dll
[svchost.exe]
UDP 131.107.81.167:138 *:* 4
[System]
| 