Set Up a Firewall


Overview


Firewalls defend computers and systems from viruses and other security threats. The UCSD Minimum Network Connection Standards require firewall and antivirus protection for any device connected to UC San Diego's network. Regular backups and security patch updates also help protect your system.

 

Critical Concepts


Network Firewall Service

The UCSD ITS Security office provides a managed network firewall service which allows departmental IT staff the ability to centrally manage network security for all systems within their units. The network firewall service supplements host-based firewalls enabled on the local computer. Check with your local IT support contact regarding access to the network firewall service. If you do not have local IT support, you can contact the IT Service Desk or send an email to firewall@ucsd.edu for support.

Host-based Firewalls

Select the corresponding device for instruction on how to setup your firewall:

 

Steps to Take


Windows 7 Basic

After initial configuration, the advanced settings instructions provide information about creating exceptions for additional services.

  1. Set up system and security settings
    1. From the Start menu, click Control Panel, then click System and Security
    2. Under Windows Firewall, select either Check firewall status to determine whether the firewall is turned on or off, or Allow a program through Windows Firewall to allow a blocked program through the firewall
  2. Select program features
    1. Click Turn Windows Firewall on or off from the left side menu
    2. Configure the settings for your home/work (private) or public network
    3. Click OK to save your changes
  3. Choose firewall settings for different network location types
    1. Turn on Windows Firewall for each network location you use - Home or work (private) or Public
      1. Click What are network locations? for more information on network types
      2. Domain network locations are controlled by your network administrator and can't be selected or changed
    2. Select Turn on Windows Firewall under the applicable network location type (in image below, both locations are selected)
    3. Select Notify me when Windows Firewall blocks a new program for each network type, if the box is not already checked
    4. Click OK to save your changes

Windows 7 Advanced

Before starting, disable all firewalls on your machine, including the Windows 7 firewall. Do not use Remote Desktop Connection (RDC) or a similar program to install firewall software. Directly connect to your Windows machine, install the firewall, configure it to allow connections to and from RDC, and then reconnect RDC. Otherwise, the firewall blocks the remote connection, and you cannot access your machine.

  1. Choose security settings.
    1. The firewall automatically blocks access to your computer from outside applications and asks you what to do. Either click Allow Access, and follow the steps below, or block access and click Cancel.
  2. Manually allow programs through firewall.
    1. To manually allow a program through the firewall, open the Control Panel from the Start menu
    2. Select System and Security, then select Windows Firewall
    3. Click Allow a program or feature through Windows Firewall in the left column of the window
    4. Click the Change settings button in the Allowed Programs window
    5. Select the program or feature and whether you want to open it up to home/work (private), public, or both for all networks
    6. Click OK to save your changes
  3. Create a rule to enable services
    1. Create rule type:
      1. Click Advanced settings
      2. Select Inbound Rules in the left column
      3. Select New Rule. on the right side of the window
      4. Select Port in the New Inbound Rule Wizard and then click Next
    2. Specify rule protocols and ports:
      1. Select TCP or UDP (which protocol this rule will apply to)
      2. Select Specific local ports, type a port number (80), port numbers (80,81), or a range of port numbers (5000-5010), then click Next
    3. Specify rule actions:
      1. Select Allow the connection and click Next
    4. Specify rule profiles:
      1. Select when this rule applies based on your profiles
        • To learn more about profiles, click Learn more about profiles located in the lower half of the window
      2. Select all of the profiles (Domain, Private, Public) only if you want the requests from this port to allow access through the firewall no matter which connection/profile type you are using
      3. Click Next
    5. Specify rule name
      1. Give this rule a name (see image below as an example)
      2. Click Finish to add the new rule
  4. Enable logging to view denied incoming connections
    1. Click Advanced Settings on the left-hand side of Windows Firewall, then click Properties
    2. Click the Public Profile tab
    3. Click the Customize tab next to Logging
    4. Customize logging settings:
      1. Click the pull-down menu for Log dropped packets, change to Yes
      2. Click OK, click Apply, and click OK
  5. Ensure firewall is enabled
  6. From the Control panel, click System and Security
  7. Click Check firewall status under Windows Firewall

Mac OS X (10.2.x - 10.5.x)

  1. Open System Preferences
    1. Open the Apple menu, and select System Preferences...
    2. Click the Sharing icon in the "Internet & Network" area of the pane, or open the "View" menu at the top of the screen, and select Sharing
  2. Activate the firewall
    1. Click the Firewall tab
    2. Find the words "Firewall On" or "Firewall Off" on the left side of the pane, under the tabs
    3. If you see a "Start" button underneath, click it to activate the firewall. If you see a Stop button, the firewall is already active
    4. If the Start button is gray and you can't click it, click the lock icon at the bottom of the pane, and enter your password when prompted
  3. Create exceptions for certain programs or services
    1. Mac OS X automatically opens ports for all services checked on the Services tab. If you run services like Retrospect Backup or iTunes Music Sharing on your computer, open additional ports in your firewall to create exceptions and let these services through. If you do not need additional open ports, close the Sharing pane to save your changes
    2. To make additional changes, keep the Sharing pane under the Firewall tab open, and click the New... button
  4. Finish and save your changes
    1. Select the service you wish to add from the Port Name: drop-down menu
    2. If you don't see the needed port name, select Other from the drop-down menu. Enter the port number in the Port Number, Range, or Series: field, and enter a description of the additional service in the Description: field
    3. Click OK to add the new exception to the firewall
    4. Close the Sharing pane to save your changes

Mac OS X (10.6.x or greater)

  1. Open System Preferences
    1. Open the Apple menu, and select System Preferences…
    2. Click the Security & Privacy icon in the System Preferences window.
  2. Activate the firewallClick the Firewall tab.
    1. If the Turn On Firewall button is gray and you can’t click it, click the lock icon at the bottom of the window and enter your administrator password when prompted.
    2. Click the Turn On Firewall button.
    3. Click the Advanced button.
    4. Select the desired firewall configuration.
    5. Click OK.
    6. Close the Security & Privacy pane to save your selections.
  3. Create program exceptions
    1. Click the Firewall tab in Security & Privacy.
    2. Click the Firewall Options button.
    3. Click the + symbol.
    4. Find the program that you'd like to add as an exception.
    5. Click the Add button.
    6. Repeat the above steps for each program you'd like to add to the exceptions list.
    7. Set whether to Allow incoming connections or Block incoming connections for the programs in your list by clicking the up or down arrows to the far right of the program name, then selecting the appropriate option.
    8. Click OK.
    9. Close the Security & Privacy pane saving your selections.

UC San Diego does not officially recommend any exceptions. University programs will not be affected by not allowing exceptions. However, in the example below, the user has added iTunes as an exception. If she did not have iTunes enabled in her firewall exceptions list (which allows incoming connections), people would not be able to connect or listen to his shared music when his firewall is on. 

If you still have questions or need additional assistance, please submit a ticket or call the ITS Service Desk at (858) 246-4357