Internet Connection Firewall

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Internet Connection Firewall

A firewall is a security system that acts as a protective boundary between a network and the outside world. Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what traffic is allowed to enter your network from the Internet. ICF protects your network against external threats by allowing safe network traffic to pass through the firewall into your network, while denying the entrance of unsafe traffic.

If your network uses Internet Connection Sharing (ICS) to provide shared Internet access to multiple computers, ICF should be enabled on the shared Internet connection.

Shared Internet connection protected by ICF

Additionally, you should enable ICF on the Internet connection of any computer that is connected directly to the Internet. ICF can provide protection to a single computer connected to the Internet with a cable modem, a DSL adapter or modem, or a dial-up modem. You should not enable ICF on VPN connections because it will interfere with the operation of file sharing and other VPN functions.

When ICF has been enabled on a network connection, the following network connection icon appears in Network Connections: Firewalled connection icon. To check to see whether ICF is enabled, or to enable ICF, see Enable or disable ICF. For information about using ICF, see Protecting your home or small office network using Internet Connection Firewall.

How ICF works

ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF computer. When used in conjunction with ICS, ICF tracks all traffic that has originated from the ICF/ICS computer and all traffic that has originated from private network computers. All inbound traffic from the Internet is compared against entries in the table. Inbound Internet traffic is allowed to reach the computers in your network only when there is a matching entry in the table that shows that the communication exchange originated from your computer or private network.

To thwart common hacking attempts, such as port scanning, communications that originate from the Internet are dropped by the firewall. Rather than sending you notifications about firewall activity, ICF silently discards unsolicited communications, because such notifications could be sent frequently enough to become a distraction. Instead, ICF creates a security log to track this activity. For more information, see Internet Connection Firewall security log.

Services can be configured to allow unsolicited traffic from the Internet to be forwarded by the ICF computer to the private network. For example, if you are hosting an HTTP Web server service, and the HTTP service is enabled on your ICF computer, unsolicited HTTP traffic will be forwarded by the ICF computer. A set of operational information, known as a service definition, is required by ICF to allow the unsolicited Internet traffic to be forwarded to the Web server on your private network. Service definitions for ICF work on a per connection basis. If your network has multiple firewall connections, you should configure service definitions on all firewall connections. For information about service definitions, see Service definitions for Internet Connection Firewall and Internet Connection Sharing. For information about adding and editing service definitions, see Manage service definitions for ICF or ICS.

Note

  • Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.

  • Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.

  • This topic applies only to product features available in the original release of Windows Server 2003.