I installed wipfw today, because I needed a simple Windows firewall that could do egress filtering to block traffic to certain external IP addresses, and with my Windows XP SP1 setup, that’s just not possible. SP2 adds some better outgoing filtering to the firewall, but you still can’t just plug in an IP address.
But after installing wipfw, I just couldn’t find the config file. The install.cmd installer said, at the very end:
SUCCESS. Default action is ALLOW
Log files are located in C:\WINDOWS\security\logs
Change wipfw.conf file for your taste.
But I couldn’t find a file called wipfw.conf anywhere on my system, and the documentation online and in the zip archive didn’t mention anything about that file, which seems like one of the more important configuration items to mention.
I think the problem is that wipfw.conf was an old name, and they just haven’t updated everything. With the version I was running, there was a file called rc.fw in the archive, and the config.cmd script was pulling the firewall rules from it.
I haven’t confirmed it with a reboot or anything, but I’m 99% sure that’s the right configuration file to use. I should have unzipped the wipfw directory to some place more permanent than my desktop, I realize now, but I can get to that later. So the configuration file you want is rc.fw in the unzipped directory.
And then, for some reason, I couldn’t add new rules from the command line to test them. I just kept getting this error:
error 64: bad arguments, for usage summary “ipfw” (win32: 0)
I triped-checked my command from the usage summary it was speaking so highly about, but everything looked right. And, sure enough, when I put the command in the rc.fw file and re-ran config.cmd, the rule showed up in ipfw show, so it worked just fine. I don’t know why it didn’t work from the command line, but I guess that’s just a benign side effect of not knowing anything about ipfw.
wipfw seems to play nicely with the XP SP1 firewall. The ports that I had opened in there are still open, which is good — I guess that’s what I get for choosing the “allow” config instead of the “deny” config. And my outgoing traffic block is working perfectly.
I had to change the default rules a little, though. The defaults had this:
00320 allow ip from me to any keep-state out
00420 count log ip from any to any
That second rule was just logging way too much. It included any traffic being allowed from other machines to me, and included traffic from other machines on my network to each other and the Internet (since my Windows machine is acting as a router for both my wired and wireless networks, there’s a lot of that.)
But now, 30 minutes into wipfw, everything seems good. Eventually I’d like to turn off the Windows Firewall completely, since it does occasionally turn off incoming ports (and, when it turns off incoming SSH, makes it impossible to fix remotely), but we’ll see if this is trustworthy enough for that.