General discussion

XP Firewall - is it permanent protection?

Does the firewall provided with XP provide permanent protection, or does it need to be updated/upgraded? I have been told that it will not protect against new threats, and that I should get a router (even though I have only one computer) that will constantly update the protection level.

Can I feel safe using the existing XP firewall, or should I invest in a router or some other updateable firewall system?

I'd really appreciate any advice anyone could offer.


Discussion is locked
Reply to: XP Firewall - is it permanent protection?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: XP Firewall - is it permanent protection?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Re: XP Firewall - is it permanent protection?

Here's the problem. "Firewall" is not a defined item. For some, only one that does stateful inspection will meet their definition of a proper firewall. Microsoft's definition blocks unsolicited incoming packets and doesn't block (in its defaults) outgoing packets.

It's a very deep subject, but the stock firewall would have done much to quell past plagues. And still will.


- Collapse -
Re: XP Firewall - is it permanent protection?

The XP Firewall isn't the greatest in the world, but the improvements made in SP2 (you have downloaded and installed SP2 right) bring it to a new level, but you'd still be better off with a freeware firewall like Outpost.

But whoever has been talking in your ear is full of crap to put it bluntly. Even routers need firmware updates to update the firewall software. But generally all a firewall does is allow or block traffic, be it incoming or outgoing. If you've set up a firewall correctly, and it drops all packets coming in on ports not being used by some app on your system, you shouldn't ever need to update it.

- Collapse -
Re: XP Firewall - is it permanent protection?

Most routers even without a "firewall" builtin, have NAT
and also usually do not respond to port requests from the outside WAN. This stops hackers from "seeing" a computer at your IP address. Without a outgoing firewall, it acts much the same as a Windows ICF would running on your computer.
The difference is this, a software firewall can be taken down by software, corruption or user error.
The router just sits there and does its job.
You can pick up a router for 40.00, so my opinion is get a router and you won't have any extra software running on your machine.

If you want to configure a firewall for outgoing traffic as well as incoming you can run software.

- Collapse -
Re: XP Firewall - is it permanent protection?

NAT is security through obscurity, and you REALLY don't want to rely on it as your only line of defense.

Just as an example... A guy working at Bell Labs devised a way to figure out how many computers were connected to a router via NAT, based on traffic patterns. This can be used by companies that have a contractual clause about having more than one computer hooked to the Internet. It could also be used by would-be hackers.

Besides, all they need to do is get a connection into the router, then scan a very small subset of IP addresses. Typically either 192.168.*.* or 10.0.*.*. You can probably even limit it to 192.168.1/0.* and 10.0.1/0.* since people buying routers generally aren't going to have enough systems to fill even one of those subnets. All of which can be effectively port scanned in a matter of minutes.

In the end NAT is like hiding the key to your house under a rock by the porch. You're just hoping that no one thinks to look under that rock, kick it over, or whatever. It's foolish, it's stupid, and it's not something you should trust as your only defense.

- Collapse -
Re: XP Firewall - is it permanent protection?


The routers I have used do not report to "port scans"
The ports are closed by default from the outside.
The NAT address ranges are not routable and therefore cannot be scanned from the outside across the router.

You would need to open a port to make the router let in traffic from the outside.

How would someone from the outside scan a non-routable IP?

Yes someone could look at patterns of web requests to see if more than one user is using the connection, but they still wouldn't know what the IP ranges were or which computer asked for the data unless the Router could be compromised.

A router is still better than someone that doesn't understand a firewall. If the turn off the software for anyreason, they are vulnerable. They will not be turning off NAT or the routers blocked incoming ports by accident.

- Collapse -
The routers I have used do not report to "port scans"...

I had my Linksys report such for a long time. It was mostly out of wondering what was incoming. All I found was that the scanning PC was almost always a "PC" and in about 1/3 the machines they had network shares that you could if you wanted to, delete all the files on C:

It's surprising...


- Collapse -
Re: The routers I have used do not report to "port scans"...

Are you saying that these routers can be scanned from the outside and get to the shared folders on the PCs?

- Collapse -
Re: The routers I have used do not report to "port scans"...

No. But I was not amused that if you look at the machine that scanned you, an unbelievable percent had shared their C drive. It's 100% sure the poor devil (owner) was not behind a NAT router.


- Collapse -
(NT) (NT) Oh I see...
- Collapse -
Re: XP Firewall - is it permanent protection?

Cynthia: Go to On the menu on the left side is a link called 'Download and buy", Click on it, in the next window, on the right, under Zone Alarm Security Suite, click on Zone Alarm.
This will give you a page where you can download the FREE version of Zone Alarm. Download and install it.
After that, you can go to their Forum and learn how to tweak it.
Then you can relax, knowing that your machine is protected from crackers.

CNET Forums