There are many third party software firewalls available for Windows and recent versions of Windows also have integrated firewall.
Usually these firewalls consist of a driver that hooks into Windows IP stack (technically this is the most important component), optionally a service that configures (and in some cases even starts) driver and a GUI program which allows user to interact with firewall. Such firewalls aren't always started and activated before all other network applications/services thus leaving system unprotected for some moments at startup. Also if such firewall fails to start (for example if damaged by malware), system remains fully unprotected.

Starting from Windows 2000, TCP/IP driver has a feature to filter incoming traffic based on TCP/UDP destination port or IP protocol numbers. This is called TCP/IP filtering. It is a good way for "closing" listening TCP ports and filtering out unwanted custom IP protocols, but it has a drawback with UDP (filtered UDP ports are completely blocked). This happens because UDP is connectionless protocol and TCP/IP filtering blocks all incoming UDP datagrams (including responses to sent packets).
Windows TCP/IP filtering configuration can be accessed in network connections Properties - Internet Protocol (TCP/IP) Properties - Advanced TCP/IP Settings - Options tab.
There can be specified allowed TCP/UDP ports and IP protocols. Usually IP protocols 1 (ICMP), 6 (TCP) and 17 (UDP) should be allowed (actually they wouldn't be filtered out anyway).
Only TCP ports that need to be open should be listed here. Most software that need to accept TCP connections can be configured to open specified ports. For most users problems may arise mainly with some FTP clients (this can be solved by enabling passive mode) and MSN Messenger.
Windows uses random UDP ports in ephemeral port range (1025 - 5000 by default) for DNS resolution so in many cases filtering of UDP ports will end up in DNS resolution problems. The most common solution is to leave all UDP ports unfiltered.

TCP/IP filtering can be used to provide stable and continuous shielding of opened TCP ports (who are the most common entry points for worms, hackers etc.) and custom/raw IP protocols. In many cases TCP/IP filtering can be used in conjunction with some firewall software, providing additional layer of permanent protection.

Posted on 2007.02.12.