Choose the best Firewall, then scroll down to learn how to set it up: (The links below will take you to the respective firewall vendor's site) (updated June 2004)  

ZoneAlarm New 06/04:   novice-friendly firewall includes a mail-scanning feature that quarantines dangerous Visual Basic Script (.vbs) attachments; 3.6MB www.zonelabs.com

Kerio Personal Firewall New 06/04: The perfect firewall freebie for power users,  lets you fine-tune application rules to restrict access to and from specific IP addresses and ports; 2MB. (more info: www.kerio.com )

Sygate Personal Firewall new:  No frills interface provides fine-grained control over how and when applications can connect to remote servers. www.sygate.com

Outpost Firewall Free new:  A no-cost firewall brims with extra features, including ad and pop-up blockers, Web site content filtering, mail attachment filtering, and a surf-speeding DNS cache; 2.5MB. www.agnitum.com

Be sure to check out your chosen firewall's security level on using one of the links on our Security Test Page!

Connecting your naked PC to the Internet is like leaving your house unlocked--eventually, someone will wander in, rifle your underwear drawer, and empty the jewelry case. To make your system's points of entry more Net secure, install one of the many free software firewalls now available, and set up a hardware-based firewall for backup.

Firewalls are difficult to understand and configure, even for experienced computer users. If you've been putting off installing a firewall, or if you aren't sure how to determine whether your firewall is protecting you fully, I'm here to explain it all.

According to Merriam-Webster, the original meaning of fire wall was "a wall constructed to prevent the spread of fire." Computer firewalls are constructed to prevent unwanted intrusions from the Internet into your PC. But unlike fire, Net threats don't leap onto your machine through mere proximity. They arise when someone exploits a combination of your PC's unique IP (Internet protocol) address and one or more of the thousands of TCP (transmission control protocol) and UDP (universal datagram protocol) ports that serve as the door to your system.

Anytime you use a browser, an e-mail program, or other software to retrieve information from a Web site, ISP, or remote server, the data flows through one or more of these ports. Whether the malefactor is a teenage hacker trying to access your PC, a bit of spyware attempting to talk to a remote server, or a Windows XP Messenger Service spam pop-up, their strategy is the same: Find an open port leading into your PC, or trick your system into opening one.

Firewalls watch these thousands of ports--present in both dial-up and broadband Internet connections--and deny access to unauthorized traffic. Hardware-based firewalls are usually integrated into router and gateway products and sit between your PC and a cable or DSL modem. Software-based firewalls run on your PC. Hardware firewalls are great for protecting a network of PCs that share a broadband connection.

More important than the router's actual firewall, however, is the fact that it usually incorporates an NAT (network address translation) server that hides your networked computers' IP addresses (and thus, their existence) from anyone outside the local network.

For this reason alone, a hardware firewall is a wise investment for broadband users, even those who have only one computer. You can obtain a four-port cable/DSL router such as Linksys's BEFSR41 or D-Link's DI-704P for just $40 to $50, and models that include a wireless access point cost only a bit more (PC World's Product Finder page lists a number of routers that are currently available ).

Hardware routers are highly configurable: You can usually set them to block all incoming and outgoing traffic except through a few key ports you designate. Programming an external device to protect your PC is a lot of work, however. Firewall software that runs on your PC is easier to set up and maintain. Besides blocking uninvited traffic at your ports, software firewalls can prevent programs that run on your computer (including such malefactors as Trojan horses, spyware, and backdoor software) from sending data to remote servers, and from accepting incoming connections.

If you connect to the Internet exclusively through a dial-up modem, an external, hardware-based firewall won't do you much good. A software firewall is perfect for protecting a dial-up connection. Windows XP users may be tempted to rely exclusively on the operating system's integrated Internet Connection Firewall. To enable it, click Start, Control Panel, Network Connections (in XP's Category View, first click Network and Internet Connections). Then right-click the Internet connection you want to protect, choose Properties, Advanced, put a check next to the option Protect my computer and network by limiting or preventing access to this computer from the Internet, and click OK (see FIGURE 1).

Withhold your sigh of relief, however. Though it's better than no firewall at all--and compatible with any others you may use--XP's firewall monitors incoming connections only. Should Back Orifice, NetBus, or any other backdoor program find its way onto your PC, XP's firewall will do nothing to stop it from granting scoundrels remote access to your system.

I've used four no-cost firewalls on various PCs: Kerio Personal Firewall 2; Outpost Firewall Free, from Agnitum Limited; Sygate Personal Firewall 5.1; and Zone Labs' ZoneAlarm 3.7. Though they differ in the features they offer and the help they provide, all of these programs will stoutly defend your PC. A software firewall is easy to install, but it requires a brief training period as the firewall detects your browser, e-mail, network, and other programs that attempt to connect with remote servers.

All four software firewalls pop up warning dialog boxes when a program attempts to connect for the first time. You simply click the button that permits or disallows the connection. Most also provide an optional check box so you can turn your choice into a permanent, automatic firewall rule (see FIGURE 2). After you've gone about your usual online business for a day or two, creating firewall rules along the way, you may not need to interact with your firewall again until you add or upgrade an Internet utility.

The trick to responding appropriately to firewall warnings and creating effective rules is knowing which programs are safe and which are not. You'll easily recognize many of the more-common applications by name--Outlook, Internet Explorer, and Netscape, for example. Other programs, however, aren't exactly household names. For example, many of Windows XP's networking features are handled by a program called svchost.exe, a fact that none of us should be expected to know (though you do now). Conversely, spyware and other unwanted pests may use safe-sounding or familiar names like "clever screensaver" that entice you to grant them network access. What's a firewall jockey to do? For starters, avoid the temptation to be lax. Instead, deny access to any program that you're at all unsure about--you'll have plenty of chances to change your mind later.

If your knowledge of which programs are safe is shaky, choose a firewall that provides more information about the program in question than just its file name. Kerio and Sygate don't offer many hints as to whether a detected program is safe, and they eschew nonfirewall bonus features. This arrangement may suit expert users, but novices will benefit from a more informative firewall.

ZoneAlarm offers a bit more information about detected programs, including a link in the warning dialog box to a description of the program in question on Zone Labs' Web site (see FIGURE 3). ZoneAlarm also preconfigures itself by default to permit connections from Internet Explorer and Windows XP's svchost.exe component, minimizing the number of decisions you'll need to make about granting these applications Internet access.

Outpost's pop-up dialog box creates a permanent rule for you by default, but you can opt out of the rule by clicking the Allow once or Block once buttons instead. Despite being laden with nifty features such as ad and pop-up blocking and e-mail attachment protection, Outpost provides the same minimal information about the detected program as do Kerio and Sygate.

Once you've completed the basic firewall configuration, you may want to change, delete, or fine-tune the rules you created. All four of these firewalls maintain a list of rules or known programs.

Kerio: Right-click the program's system tray icon and choose Administration, Firewall, Advanced. In the list of known programs, select the program whose filter rule you want to modify, and click Edit to open the 'Filter rule' dialog box. To switch the program's basic default status, select either Permit or Deny at the bottom of the dialog box. Other options let you restrict the remote server IP addresses and incoming and outgoing ports that the program uses. If you know what those are and why you'd want to specify them, you're probably reading this column just to see what errors it contains. The rest of us can live with the default settings. Click OK to save any changes.

Outpost: Right-click the program's system tray icon and choose Options, Application. Select a program in the list of blocked, partially allowed, and trusted applications, and click Edit. Choose Always block this app or Always trust this app to move it to the appropriate category. Your best step, however, may be to select a trusted application and move it to the partially blocked list (by clicking Edit and choosing Create rules using preset, Browser, for example); this maneuver grants the program Internet access, but under a constrained set of rules. The browser rule set (Outpost also comes with rules for e-mail, instant messaging, and other programs) limits an app to the handful of inbound and outbound protocols (TCP or UDP) and ports needed by a Web browser, thereby minimizing the damage a malicious Web site or HTML e-mail message can do.

Sygate: To change program rules, right-click Sygate's system tray icon and choose Applications. In the list of known applications, right-click the program whose rule you want to modify, and choose either Allow or Block. Choosing Ask tells Sygate to prompt you to allow or deny Internet access every time the program seeks it.

ZoneAlarm: To modify program permissions, right-click the ZoneAlarm system tray icon and choose Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select Program Control on the left, and then select the Programs tab at the upper-right. To change one of the program's four settings (the ability to access remote servers or to act as a server itself in both the Internet and Trusted Zones), click the check mark (allowing access), the X (blocking access), or the question mark (instructing ZoneAlarm to ask you each time the program seeks access); then choose a new default action from the pop-up menu.

Another setting you may want to change, or at least check, is how your firewall works with networks of Windows PCs:

Kerio: By default, this firewall disables Windows networking because enabling it would allow other PCs on the local Windows network to access your shared folders and printers only after you entered their IP addresses. To allow access to a particular PC, right-click Kerio's system-tray icon and choose Administration,Microsoft Networking. To enter a single trusted address, click Add, select Single address in the 'Address type' list, enter the allowed IP address in the 'Host address' field, and click OK. If your Windows network is shielded from the Internet by a router-based firewall that blocks the Windows Networking UDP ports (137-139), you can safely allow any computer on the local network to access your shared files and printers, by unchecking From Trusted Addresses Only and clicking OK.

Outpost: Right-click Outpost's system-tray icon, choose Options,System, check Allow NetBios communication, and click OK. If your computer connects directly to the Internet, leave this option unchecked to avoid broadcasting your PC's existence beyond the firewall.

Sygate: By default, Sygate allows other PCs on a Windows network to browse--but not access--your files and printers. To enable sharing, right-click the firewall's system tray icon and choose Options,Network Neighborhood. From the drop-down list, select the network interface you use to connect to the Windows network, check Allow others to share my files and printer(s), and click OK. Sygate's default setting allows only PCs on the local network to browse and access your files and printers (choose the Security tab to view this and other settings).

ZoneAlarm: This firewall grants file and printer sharing access to trusted computers by default--all you have to do is fill in the IP addresses of those machines. To do so, right-click the ZoneAlarm system-tray icon and choose Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select Firewall on the left, and then choose the Zones tab at the upper-right. Click Add,IP Address, enter the IP address of the system you want to add to the Trusted Zone, and click OK.

The following is from www.GRC.com:

Personal Internet Firewalls that really work! If you've reached this point, you probably know more about Internet security and securing a Windows PC for safe Internet access than you ever thought you would. If you are using a single stand-alone PC for Internet access, the preceding pages will have equipped you to secure that machine without the need for any additional software. But if your needs are more complex, and especially if you do need to share files across the Internet, you will need some additional software to secure both ends of the Internet connection.   You need a Personal Internet Firewall if: Your computer's files need to be accessed remotely across the Internet. You are operating any sort of Internet server such as Personal Web Server. You use any sort of Internet-based remote control or remote access program such as PC Anywhere, Laplink, or Wingate. You want to properly and safely monitor your Internet connection for intrusion attempts. You want to preemptively protect yourself from compromise by "inside the wall" Trojan horse programs like NetBus and Back Orifice. What's a Firewall? You can probably guess what a firewall does just from its name. The idea is a simple one, which is why it works so well:   A firewall ABSOLUTELY ISOLATES your computer from the Internet using a "wall of code" that inspects each individual "packet" of data as it arrives at either side of the firewall — inbound to or outbound from your computer — to determine whether it should be allowed to pass or be blocked. A firewall is a super cool idea. This is so true, that someday firewalls will be standard equipment on all PC's. There's no question about it.   In fact, the PC Industry press now reports that the next version of Microsoft Windows, codenamed "Whistler", will include a built-in firewall. However, its exact nature and capabilities are currently unknown. But today, firewalls need to be added where needed — which is pretty much everywhere. The firewall concept is so exactly correct that the term "firewall" has been badly abused by many weak "firewall wanna-be" products in an attempt to trade on the power of the concept. MANY, if not most, of the Evil Port Monitors I discussed on the prior page try to pass themselves off as "high security firewalls", yet not one of them is. Also, many "Application-Based" firewalls provide poor protection against malicious spyware. How does a Firewall Work? All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received. In order to reach its destination — whether it's another computer two feet away or two continents distant — every Internet packet must contain a destination address and port number. And, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. In other words, any packet travelling the net contains — first and foremost — its complete source and destination addresses. As we've seen earlier on this site, an IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.   Look what this means! . . . Since the firewall software inspects each and every packet of data as it arrives at your computer — BEFORE it's seen by any other software running within your computer — the firewall has total veto power over your computer's receipt of anything from the Internet. A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it! But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port. So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall! Or suppose that you wish to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. You would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net. But what about you originating your own connections to other machines on the Internet? For example, when you surf the web you need to connect to web servers that might have any IP address. You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside. Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much what I've explained above, and this affords tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. For example, we've seen that one of the biggest problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider. I hope I've conveyed some sense for the powerful benefits and features created by firewalls. At a cost ranging from $29 to $39 USD, these personal firewalls are a terrific bargain! If you have also received the sense that this can be very tricky stuff I'd have to agree.   For up-to-date information about actual software personal firewalls, please see our "LeakTest" firewall evaluation page!