Another common complaint is that firewalls sometimes block IM and other peer-to-peer applications. With ICF, you must remember to open ports for services that need inbound connectivity. For example, you can open a Windows Messenger session without firewall intervention, but if you try to initiate a file transfer session, ICF will block the action. When it blocks such activity, ICF provides no alert*it only writes an event in the firewall log. To use Windows Messenger to transfer files, you must add a service that lets TCP and UDP access internal and external ports 6891 through 6900. Also, when ICF is enabled, you can't use some services that generate dynamic inbound port mapping in a way that ICF doesn't expect or can't handle. To test any connection problem to determine whether ICF is involved, temporarily disable ICF, wait a few minutes, then retry the connection.
Third-Party Interactions
Microsoft created the ICS/ICF API to let third-party applications query the firewall's network status on each connection and even enable or disable the firewall's protection of a particular network connection. Microsoft's ICS/ICF API lets applications such as Windows Messenger, Remote Assistance, Windows Update, and Help and Support Center work seamlessly through the firewall. Some in the security field are rightly concerned that this API might afford malware the same courtesy. . . .
Register
I'm always troubled when supposed networking professionals recommend this. The ICMP Ping packet is not an optional feature. Disabling this breaks a number of things in fundamental ways. The most obvious and easily explained breakage is DHCP. Many DHCP servers will periodically ping leased addresses and, if the ping fails, put the address back into the lease pool.
Brian Gallew September 09, 2003