Bennett Haselton, 9/13/2003
McAfee Firewall is an Internet security program available for a 30-day free trial from McAfee Security. It provides some protection against simple viruses and Trojan horses that could enable an attacker to control your computer over the Internet; however, it also needs to be adjusted slightly to be compatible with running an anti-censorship server program on your computer.
A problem with McAfee Firewall is that the first time you run a server program, it is not sufficient to simply say "Yes" to letting the program access the Internet, and checking a box to remember that response in the future. This is sufficient with similar programs such as ZoneAlarm and Norton Personal Firewall, but not with McAfee firewall. The problem is that without some additional changes, the server software will be unable to accept incoming connections after the next time the machine has rebooted; we have started a thread on McAfee's support forums to see if this is a known bug. In the meantime, the following explains how McAfee Firewall operates and how to make an anti-censorship server compatible with it.
McAfee Firewall warns you when a program not yet on your "approved" list tries to access the Internet, and lets you approve or deny the connection. Unlike similar programs such as ZoneAlarm or Norton Personal Firewall, McAfee Firewall does not distinguish between programs that run as clients (such as regular email programs and Web browsers that open connections to remote machines) and programs that run as servers (listening for incoming connections from other machines). This simplifies the user interface and avoids confusing novice users, at the cost of not giving advanced users the flexibility and control that other programs provide.
If you run an anti-censorship server on your computer, then the first time the software runs and begins listening for incoming connections, you will see a dialog box like this one:
The user must change the selection to "Yes, allow this time" and check the box marked "I recognize this program. In the future, do not alert me."
Here is where extra steps are required to make the server program work with McAfee Firewall. If you stop at this point, then the server program will be able to accept incoming connections on a given port only until you reboot your computer. After the reboot, incoming connections to that port will be ignored, without McAfee even prompting you whether you want to allow the connection.
To permanently enable incoming connections, right-click on the McAfee Guardian icon in the taskbar, pick "Run Firewall", and in McAfee Firewall, select the "Control Internet programs" panel:
"Apache HTTP Server" in this example is listed with Internet access set to "Filter". You must change this option to "Allow this program to have full, unfiltered access to the Internet" and click "Apply". Then, and only then, will the server be able to receive incoming connections even after the machine is rebooted.
For any anti-censorship program that runs as a server on the user's computer, the installation program must inform the user that when McAfee Firewall asks them about allowing the application to access the Internet, they must change the default from "No, deny this time" to "Yes, allow this time", and check the box marked "I recognize this program. In the future, do not alert me."
Since most users have never heard of McAfee Firewall, and any reference to McAfee Firewall would probably just confuse them unless they already had it on their computer, the installation program for the anti-censorship software should check if McAfee Firewall is installed, and only display this message if it detects that McAfee Firewall is present.