Firewall software became standard software used in any modern computer system. And due to a big number of vulnerabilities Windows computers which are not protected by firewalls are likely to be remotely exploited.
Windows XP and 2003 are shipped with a basic firewall which is quite sufficient for most uses. However, sometimes more features is required from firewall software. For example an admin is trying to offer a solution for firewalling here, still he wishes for a better solution. WIPFW could be a solution for him.
WIPFW may come in handy when an advanced firewall for servers or clients is required. WIPFW is compatible with Windows 2000/XP/2003.
WIPFW is a Windows version of IPFW. IPFW is a well-known firewall software used in BSD UNIX-like systems.
There is a number of advantages of using WIPFW:
- WIPFW is a command line application so it can be easily controlled via telnet, SSH or RDP.
- WIPFW does not require any additional software installed. You don’t need .Net framework or anything else.
- WIPFW uses basic text files to store its configs. These files can be easily edited using your favorite text editor. No need for monstrous configuration utilities, web browsers or anything else.
- It is very easy to clone firewall configs between systems. Just copy text configuration files and thats it.
- It is a really small application. The basic distribution of WIPFW is only around 300KBytes. Additional rules management GUI is another 4 MBytes (it is not required for WIPFW operation).
- WIPFW allows defining rules on incoming and outgoing traffic for specific hosts, subnets, ports, protocols.
- WIPFW supports keep-state and other packet tags.
- Plus WIPFW has built-in accounting system so you could possibly collect reports on amount of traffic users generate.
- WIPFW does not interfere with any application operation, e.g. it won’t try to scan your mail or block banners and scripts.
Here is a small guide on how to use WIPFW.
1. You can download latest version of software from WIPFW download page. I suggest downloading stable version of the firewall. You can download any version of GUI frontend as it is not critical for operation of the firewall.
2. Unzip firewall package into a convenient location on your hard disk, e.g. C:\WIPFW\ (Lets assume that we ll use C:\WIPFW\ as the install folder for WIPFW)
3. You have to decide which basic policy you would prefer: Deny all or Allow All. Deny policy is better for higher security.
4. In case you want to deploy deny all policy execute install-deny.cmd . To deploy Allow All policy execute install.cmd .
5. In a couple of seconds WIPFW will be installed and fully functional. All settings will be stored in C:\WIPFW\rc.fw text file.
6. You can open rc.fw with your favorite text editor and edit it to your liking. Here is a small rc.fw script that can be used to protect a webserver (it still offers RDP, http and FTP access, please read documentation for more examples):
# it is a script which modifies default “deny all” policy
# First flush the firewall rules
./ipfw -q -f flush
$cmd 00100 allow ip from any to any via lo*
$cmd 00110 deny log ip from any to 127.0.0.0/8 in
$cmd 00120 deny log ip from 127.0.0.0/8 to any in
$cmd 00220 check-state
$cmd 00420 count log ip from any to any
$cmd 00421 allow tcp from any to me 80
$cmd 00422 allow tcp from any to me 3389
$cmd 00423 allow tcp from me 80 to any
$cmd 00424 allow tcp from me 3389 to any
$cmd 00425 allow tcp from me 21 to any
$cmd 00426 allow tcp from any to me 21
$cmd 00427 allow tcp from me 20 to any
$cmd 00428 allow tcp from any to me 20
7. In order to load edited rc.fw please execute C:\WIPFW\config.cmd and WIPFW will be reloaded. Please dont do this over RDP connection or you might end up locked out from your server. If you are managing your server from remote you might reboot your server so that new rules work.
I ve used WIPFW for a while now and it is a great tool. It is better than Symantec Corporate Firewall(used on Windows Gateways), simpler than CheckPoint (ok, ok, CheckPoint is powerful, but it is still too messy plus it used to have complicated licensing procedure).
I think Windows Longhorn Server in Core Mode (the setup is described by Brien M.Posey) and WIPFW would make a great tandem.