Starting the firewall

Starting the firewall involves activating IP packet filtering. This is done with the CFGFILT utility.

To start the firewall, use the command:

    cfgfilt -u -i

(This command is explained in more detail below.)

Starting the firewall automatically

You can configure your system so that the firewall task will start automatically when the system boots. The easiest way of doing this is to create or edit the file

    x:\TCPIP\BIN\TCPEXIT.CMD

where x is the drive letter of the volume on which TCP/IP is installed, and add the line

    CALL CFGFILT.EXE -u -i

This file will be called automatically by the TCP/IP startup routines when the system boots.

Note: If you wish to enable firewall logging, you should add the '-d' parameter to the CFGFILT command line. See the section Enabling logging for more information.

Detailed explanation

The above syntax for the CFGFILT command performs the following actions:

• Activates the firewall flag within the IP layer.

  This is a TCP/IP protocol setting which enables or disables the firewall. It must be enabled before the firewall will function. The '-u' parameter to CFGFILT will automatically enable this flag if it is not already enabled.

• Loads the filter rules from the rule configuration file.

  Filter rules specify the criteria by which TCP/IP traffic is permitted or denied by the firewall. If no rules are defined, then the firewall's default behaviour is to deny all TCP/IP traffic, both inbound and outbound. The '-u' parameter to CFGFILT loads filter rules from the rule configuration file into the filter driver.

• Initializes the filter driver and activates IP filtering.

  Once the firewall is enabled and filter rules have been loaded, the IP filtering task must be activated. The '-i' parameter to CFGFILT does this.

Each of these actions is explained more fully in a later part of this book.

Checking the current state

You can verify that filtering is active by running the CFGFILT command without any parameters. (As the output is quite lengthy, you will need to run the command from a prompt with scrollback capability, or else pipe the output through 'more'.)

If you issue the command

    cfgfilt |more

you should see, near the top of the output, the heading 'Status of filter support code'. This should display the status 'active'. If it shows 'inactive', then IP filtering is not active (meaning that the firewall is not currently functioning).