Windows XP firewall behavior mysteriously changed

Question

Recently (July 13, 2010) I had a firewall rule that started blocking traffic that had previously been allowed. I have an FTP server running on a non-standard port serving files to the LAN. I had configured exceptions for the server application as well as the connection port in the XP firewall.

Original configuration:

Name: My FTP Server
Port Number: 1234
Scope: My network (subnet) only

Screenshot http://www.freeimagehosting.net/uploads/49c1717c8e.jpg

This configuration had been working for over a year. And oddly enough it had been working for clients on VLAN1 (10.1.1.x, the same subnet as the server) as well as clients on VLAN2 (10.1.2.x). Then suddenly two days ago it stopped working for clients on VLAN2 only. After troubleshooting the failed connections I determined that the problem was the firewall, and reconfigured the exception as follows:

Updated configuration:

Name: My FTP Server
Port Number: 1234
Scope: Custom list: 10.1.0.0/255.255.0.0

alt text http://www.freeimagehosting.net/uploads/a301aa85b9.jpg

Some other background details: Windows Update is set to automatically install updates, and it received a single update on the evening of July 12th.

WindowsUpdate.log excerpt:

*************
** START **  Agent: Installing updates [CallerId = AutomaticUpdates]
*********
  * Updates to install = 1
  *   Title = Definition Update for Windows Defender - KB915597 (Definition 1.85.1905.0)
  *   UpdateId = {1C89B156-DCC2-4A34-BAFC-7B5E5B20C460}.100
  *     Bundles 1 updates:
  *       {584242DE-8E71-4F88-A9C6-BB3C7F13773A}.100

The KB article here gave no indication of the firewall being updated (indeed, it's only a Definition update for Windows Defender). Other than automatic updates, no new software was installed on the server for months, and the firewall rules had not been changed since the FTP server was originally configured over a year ago.

Why did the firewall exceptions work for the entire LAN before but then suddenly began blocking connections from clients on VLAN2 two days ago?

EDIT: Additional details: I have an Xserve running Mac OS X Server 10.5 set up as the DHCP server. DHCP is configured to assign a static IP to this particular XP machine. This configuration has not changed since the windows box was initially set up over a year ago.

System details: Windows XP Pro Version 2002 Service Pack 3

Answer 1

Though I cannot be certain, this is my thoughts on why it suddenly stopped working.

The 10.x.x.x space is a 24bit Class A subnet.
The default mask for this would be: 255.0.0.0

Windows XP chooses the default subnet mask when you enter an IP. It may have given the interface 255.0.0.0 or 255.255.0.0 instead of the Class C 255.255.255.0.

This makes 10.0.0.0 - 10.255.255.255 part of the local subnet. (10.1.1.x and 10.1.2.x inclusive)

If you are on DHCP and the server started to give out the default mask of 255.255.255.0 only IPs in 10.1.1.x

If you manually configured the interface and changed the IP, the default mask may have changed depending on the new IP.

Outside that, is this machine on part of a Windows Domain? If so, your administrator may have pushed down a new firewall profile as part of a system policy.

Answer 2

Is there something between these two VLANS?

Are you in charge of the network? I have had issues whereby the network team would make modifications on one VLAN and begin to do stateful inspection of packets to determine if traffic is legitimate between networks. I have been burnt by these ad-hoc modifications a few times. If you are the primary admin for the entire infrastructure that seems like extremely quirky behavior.

Also, some of Wayne's suggestions makes sense alot of sense as well.