Internet Connection Firewall

  • Thread starter Thread starter M.C.
  • Start date Start date
M

M.C.

Hi,

According to ICF documentations, enable ICF will cause the
system to block packets from local network.

After I enabled ICF, the system indeed failed to receive
ping reply packets from LAN. Now, if I change the static IP
address, the system will be able to communicate with LAN as
if ICF was not in effect any more.

Is this normal?

MC
 
Sorry I forgot to mention that the system is running WinXP.
I apologize if this is the wrong group to ask this question.

Thanks,

MC
 
Was your system having trouble communicating w/ the servers when the ICF was
enabled?
 
Yes. The web/database servers are local. We changed the
system ip address and the problem went away.

We did not try "ipconfig /release /renew routine" with
dynamic ip though.

MC

On Mon, 27 Oct 2003 21:20:42 -0500, "Lanwench [MVP -
Exchange]"
 
What was the problem you were having?

What's the reason you want ICF enabled on the machines? Protect your
perimeter by using a firewall between your internet router and LAN.... I
don't bother with local s/w firewalls unless it's a standalone machine,
myself.

M.C. said:
Yes. The web/database servers are local. We changed the
system ip address and the problem went away.

We did not try "ipconfig /release /renew routine" with
dynamic ip though.

MC

On Mon, 27 Oct 2003 21:20:42 -0500, "Lanwench [MVP -
Exchange]"
Was your system having trouble communicating w/ the servers when the
ICF was enabled?
Click to expand...
Click to expand...
 
No, it isn't a problem, but a question. According to ICF
documentation, if a local host machine has ICF turned on,
then this machine will not be able to communicate with other
local machines. This appeared to be not the case...

Steps:
=====
1. Set the host machine to a static IP address... LAN OK
2. Turn on the ICF on this machine.... no LAN
3. Change the host's IP address... LAN OK

In other words, changing the IP address creates a loophole
on ICF's effort to discard local incoming packets. To me,
this is an interesting observation.

MC

On Tue, 28 Oct 2003 10:13:32 -0500, "Lanwench [MVP -
Exchange]"
What was the problem you were having?

What's the reason you want ICF enabled on the machines? Protect your
perimeter by using a firewall between your internet router and LAN.... I
don't bother with local s/w firewalls unless it's a standalone machine,
myself.

M.C. said:
Yes. The web/database servers are local. We changed the
system ip address and the problem went away.

We did not try "ipconfig /release /renew routine" with
dynamic ip though.

MC

On Mon, 27 Oct 2003 21:20:42 -0500, "Lanwench [MVP -
Exchange]"
Was your system having trouble communicating w/ the servers when the
ICF was enabled?

M.C. wrote:
Hi,

According to ICF documentations, enable ICF will cause the
system to block packets from local network.

After I enabled ICF, the system indeed failed to receive
ping reply packets from LAN. Now, if I change the static IP
address, the system will be able to communicate with LAN as
if ICF was not in effect any more.

Is this normal?

MC
Click to expand...
Click to expand...
Click to expand...
 
Maybe I'm misunderstanding what you last wrote, but ICF doesn't block
outbound anything as far as I'm aware - so the machine with ICF enabled
should *always* be able to communicate with the other workstations, right?

I haven't played with ICF much, and I do know it's specific to the network
connection itself - wouldn't have thought that the IP address itself would
make a difference - on a PPP connection or any DHCP one, it doesn't seem to
disable.


M.C. said:
No, it isn't a problem, but a question. According to ICF
documentation, if a local host machine has ICF turned on,
then this machine will not be able to communicate with other
local machines. This appeared to be not the case...

Steps:
=====
1. Set the host machine to a static IP address... LAN OK
2. Turn on the ICF on this machine.... no LAN
3. Change the host's IP address... LAN OK

In other words, changing the IP address creates a loophole
on ICF's effort to discard local incoming packets. To me,
this is an interesting observation.

MC

On Tue, 28 Oct 2003 10:13:32 -0500, "Lanwench [MVP -
Exchange]"
What was the problem you were having?

What's the reason you want ICF enabled on the machines? Protect your
perimeter by using a firewall between your internet router and
LAN.... I don't bother with local s/w firewalls unless it's a
standalone machine, myself.

M.C. said:
Yes. The web/database servers are local. We changed the
system ip address and the problem went away.

We did not try "ipconfig /release /renew routine" with
dynamic ip though.

MC

On Mon, 27 Oct 2003 21:20:42 -0500, "Lanwench [MVP -
Exchange]"
<[email protected]>
wrote:

Was your system having trouble communicating w/ the servers when
the ICF was enabled?

M.C. wrote:
Hi,

According to ICF documentations, enable ICF will cause the
system to block packets from local network.

After I enabled ICF, the system indeed failed to receive
ping reply packets from LAN. Now, if I change the static IP
address, the system will be able to communicate with LAN as
if ICF was not in effect any more.

Is this normal?

MC
Click to expand...
Click to expand...
Click to expand...
 
Thanks for the clarification. You are correct that ICF
doesn't block outbound. It does, however, drop incoming LAN
packets. My observation showed that after chaging the host's
IP address, ICF will resume to receive incoming LAN packets
again.

I am hoping someone who is working in the field or having
the experience can confirm either this is by design or
actually something unexpected. Knowing that, it will make us
more comfortable with the workaround that we have.

Thanks,
MC

On Fri, 31 Oct 2003 18:02:08 -0500, "Lanwench [MVP -
Exchange]"
Maybe I'm misunderstanding what you last wrote, but ICF doesn't block
outbound anything as far as I'm aware - so the machine with ICF enabled
should *always* be able to communicate with the other workstations, right?

I haven't played with ICF much, and I do know it's specific to the network
connection itself - wouldn't have thought that the IP address itself would
make a difference - on a PPP connection or any DHCP one, it doesn't seem to
disable.


M.C. said:
No, it isn't a problem, but a question. According to ICF
documentation, if a local host machine has ICF turned on,
then this machine will not be able to communicate with other
local machines. This appeared to be not the case...

Steps:
=====
1. Set the host machine to a static IP address... LAN OK
2. Turn on the ICF on this machine.... no LAN
3. Change the host's IP address... LAN OK

In other words, changing the IP address creates a loophole
on ICF's effort to discard local incoming packets. To me,
this is an interesting observation.

MC

On Tue, 28 Oct 2003 10:13:32 -0500, "Lanwench [MVP -
Exchange]"
What was the problem you were having?

What's the reason you want ICF enabled on the machines? Protect your
perimeter by using a firewall between your internet router and
LAN.... I don't bother with local s/w firewalls unless it's a
standalone machine, myself.

M.C. wrote:
Yes. The web/database servers are local. We changed the
system ip address and the problem went away.

We did not try "ipconfig /release /renew routine" with
dynamic ip though.

MC

On Mon, 27 Oct 2003 21:20:42 -0500, "Lanwench [MVP -
Exchange]"
<[email protected]>
wrote:

Was your system having trouble communicating w/ the servers when
the ICF was enabled?

M.C. wrote:
Hi,

According to ICF documentations, enable ICF will cause the
system to block packets from local network.

After I enabled ICF, the system indeed failed to receive
ping reply packets from LAN. Now, if I change the static IP
address, the system will be able to communicate with LAN as
if ICF was not in effect any more.

Is this normal?

MC
Click to expand...
Click to expand...
Click to expand...
 
Back
Top