Stem has suggested I start this thread. So this is a 1st post.

One request I have, please don't use the thread as a ZA /Checkpoint bashing opportunity. Stem I'm sure doesn't have the time deal with all that stuff which achieves nothing on a technical knowledge level. :thumbd:

So please restrict posts to technical content questions and answers please!8)

See 3 attached posted images of the options screens. I have put the following questions to start the ball rolling.

(1) Main Firewall.
What setting should user set Internet zone security?
What is custom used for and how to approach using it?

(2) Zones
How to determine what IP's and sites to put into the Trusted Zone?
How to determine what IP's and sites to put into the Internet zone? Zone?

(3) Expert
Is it required to use/set expert rules for ZA Pro? Why?
If so can you provide a proven tested default set?

Hello,

You should start with defaults and slowly expand.
Trusted zone might include network computers, if there are any such.

1. Leave as is. Custom means tweaking certain options in between settings.

2. IP address, type ipconfig /all (Start > Run > cmd).
Here you can see your IP. If you wish to allow other computers on your network to have access, you can define as trusted, either by single IP ro a range.

3. Expert rules are just manual rules, mainly for applications that need server rights, like P2P, Skype and such.

Mrk

{QUOTE-> Stem has suggested I start this thread. So this is a 1st post.

One request I have, please don't use the thread as a ZA /Checkpoint bashing opportunity. Stem I'm sure doesn't have the time deal with all that stuff which achieves nothing on a technical knowledge level. :thumbd:

So please restrict posts to technical content questions and answers please!8)

See 3 attached posted images of the options screens. I have put the following questions to start the ball rolling.
<-QUOTE}
1) Main Firewall
-The Internet Zone should always be put to high. There is usually no reason to decrease the level
-The custom button for the Internet and trusted zone is used to make more technical adjustments to some of the firewall rules. For example you could allow ZA to allow ICMP pings through or not. In normal cases, ICMP pings are blocked in the internet zone(provided its on the default setting of high) while they are allowed in the trusted zone (provided its on the default setting of medium).

2)Zones
-If you are on a home or office network and share printers and files over the LAN connection, you should put the network in the trusted zone. If you don't have a network or don't share stuff, nothing should be there. The only exception is the loopback adapter(127.0.0.1) which should be placed in the trusted zone.
-If you are on a local area network, ZA will automatically detect it. A wizard may pop up (depending on your setting) asking you which zone you wished to put the network in. Even if the wizard does not pop out, you can adjust the zone in the zone list. Remember IPs that you know you can trust can go into the trusted zone. IPs from say public hotspots should remain in the internet zone.

3)Expert Rules
-Users are not required to set expert rules in ZA. Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. Of course there are those worry warts who would still like to have fine control of their programs as if the "supposedly trusted" programs they install may turn rogue. Setting expert rule may also complicate troubleshooting when you are trying to determine which aspect of your rule and settings is not right.
-If user requires fine control such as which time a program is only allowed to access with the internet, what protocol is allowed, who the program is only allowed to communicate too, then a expert rule is used.
-My recommendation: Absolutely no reason to touch expert rules if the programs you install are those that you trust (which you should anyway before you installed it). If you need to give a program server rights or access only to a certain zone, they can be easily done through ZA"s program list.

{QUOTE->
(3) Expert
Is it required to use/set expert rules for ZA Pro? Why?
If so can you provide a proven tested default set? <-QUOTE}
Just to add for now,
You are basing "Expert rules" as you would with "PCtools firewall" where a set of rules are in place for the full system/all applications. Yes, this can be done in the "Expert settings" you show, and rules placed here will over-ride all others. But, there is also the possibility of adding rules per application, if you go into "Program control / programs" and right click an application -> options

189310

Hi!
I don't know if you are aware of Hoov site, if not here you have. http://www.donhoover.net . There are some useful guidance on expert rules and other ZA related issues (e.g. trusted/internet).

And here you find some basic examples for expert rules:
http://zonealarm.donhoover.net/examples.html

Cheers,
Fax

{QUOTE-> 3)Expert Rules
-Users are not required to set expert rules in ZA. Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. Of course there are those worry warts who would still like to have fine control of their programs as if the "supposedly trusted" programs they install may turn rogue. Setting expert rule may also complicate troubleshooting when you are trying to determine which aspect of your rule and settings is not right.
-If user requires fine control such as which time a program is only allowed to access with the internet, what protocol is allowed, who the program is only allowed to communicate too, then a expert rule is used.
-My recommendation: Absolutely no reason to touch expert rules if the programs you install are those that you trust (which you should anyway before you installed it). If you need to give a program server rights or access only to a certain zone, they can be easily done through ZA"s program list. <-QUOTE}It can of course be viewed from that personal stand point. We all have our own viewpoint. My suggested to "Escalader" to start this thread was mainly to learn. "Escalader" has shown interest in learning firewall rules/setup, so why not start with a firewall that is already know to them.
With ZA pro, rules per application can be made, all these rules can be logged, including (or just) a blocking rule, which can show any possible blocked connections/packets (which may be causing problems), as this can be done one application at a time, I dont see a major problem doing this.

{QUOTE-> Just to add for now,
You are basing "Expert rules" as you would with "PCtools firewall" where a set of rules are in place for the full system/all applications. Yes, this can be done in the "Expert settings" you show, and rules placed here will over-ride all others. But, there is also the possibility of adding rules per application, if you go into "Program control / programs" and right click an application -> options

189310 <-QUOTE}

Thanks Stem for pointing out this difference. I was going to stay in FW section of ZA first, then move to the application section next.

So then I ask this what does the ZA Pro user do in FW section and what in the Program setting section?

Let's leave expert settings to much later in both ZA sections since I would prefer only to use expert rules for exceptions that the all standard ZA options cannot handle. My PC can't be that unique so any learning here is of potential value to all FW users.

In my ideal world, I would never need to create any expert rules for any FW.
But since that is unrealistic, lets optimize ZA Pro first using it's standard options during setup and early use. Then at the end say, what's missing and fix those exceptions only with expert rules.

I'm going to wait a bit for more post contribution then I'll foolishly summarize what I think the answers are to my own questions for the experts here to either validate or correct. I'm not concerned with my own :-[ since this is a learning thread and I hope not just for me alone I'm only one member.

Fax, thanks for the link www.donhoover.net. Seem to remember that link. Can you make a post on these questions from your own experience?

{QUOTE-> It can of course be viewed from that personal stand point. We all have our own viewpoint. My suggested to "Escalader" to start this thread was mainly to learn. "Escalader" has shown interest in learning firewall rules/setup, so why not start with a firewall that is already know to them.
With ZA pro, rules per application can be made, all these rules can be logged, including (or just) a blocking rule, which can show any possible blocked connections/packets (which may be causing problems), as this can be done one application at a time, I dont see a major problem doing this. <-QUOTE}
While I encourage people to learn about expert rules, there is a reason why they are called "expert". From my experiences helping out in the ZL forums, alot of people using expert rules can't get them to work correctly because they usually don't fully understand the basis for expert rules and how it works. This usually results in a misconfiguration in their expert rules or program settings.

Remember that expert rules do not bring added security. Its just a way to give people more reign over their programs. As mentioned I just don't see the point in that unless you are incredibly paranoid.

{QUOTE-> Fax, thanks for the link www.donhoover.net. <-QUOTE}
Hoov's site is a great reference place. He is a guru on the ZL forum. He used to post there frequently but now the CastleCops ZA forum keeps him pretty busy.

{QUOTE->

Fax, thanks for the link www.donhoover.net. Seem to remember that link. Can you make a post on these questions from your own experience?

So then I ask this what does the ZA Pro user do in FW section and what in the Program setting section?
<-QUOTE}

Hi!
to be honest I personally leave SmartDefence ON and rely on automatic settings by ZA central database.

I beleive that there are basically three approaches to firewall settings:

1. Higher compatibility: Leave ZA decide best settings for applications. And set custom rules (not expert rules) for application that are unknow to ZA database (based on application needs).
2. Stricter control: Analyse you application list under program control and modify applications that have been given Server rights to the internet into '?' or 'X'. Enable Privacy control including mobile control and allow mobile code only for trusted site.
3. Security Conscious/Stressed (formerly called Paranoid ;D ): Use experts rules to limit the ports that an application can use. Only hhtp for Web broswsers, pop/smtp/IMAP for mail clients, etc...

And for Trusted/Untrusted:

1. Higher compatibility: Set your LAN as trusted.
2. Stricter control: Set your LAN as Internet and add only your router and PCs IPs in your LAN (if they need to access to your system/printer/etc..) to the trusted zone.

To sum-up, my experience is that is much more important to restrict web resources (activex, javascript, etc..) then to close down the firewall...

Hope this helps
Fax

Hi:

The following block occurred this AM. The source IP address is my own PC on the router? How do I get this stopped or do I even want to? It logged it for some reason.

The ZA smart defense is on for all 69 programs configured for internet access. OS component control is still off.

_________________________________________________________________



ZoneAlarm Pro blocked an ICMP Destination Unreachable message

No breach in your security has occurred. Your computer is safe.
Inside the firewall alert


Alert property Alert property value Technical explanation
Source IP Address 192.168.1.1 The IP address of the computer that sent the packet which caused the alert.
Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Transport Layer Protocol ICMP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Protocol Specific Type 3 - Destination unreachable Some protocols, such as ICMP and IGMP, have multiple "types" associated with the protocol. Each type number for a specific protocol has standardized meaning.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date Apr-24-2007 05:12:33 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.

ZoneAlarm Pro security enforcement at time of alert


Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
port0ina

©2003-2007 Check Point Software Technologies Ltd. All rights reserved.
All rights reserved. All other trademarks are the property of their respective owners.

Privacy Policy

{QUOTE-> Hi:

The following block occurred this AM. The source IP address is my own PC on the router? How do I get this stopped or do I even want to? It logged it for some reason.

The ZA smart defense is on for all 69 programs configured for internet access. OS component control is still off.

<-QUOTE}

Strange... Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones? Is the Trusted Zone Security set to MEDIUM?
An did you change anything in there? Like "Block incoming ping" (ICMP)?

Fax
EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX???
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones?

No, Family Lan is at Internet in FW zones. Internet Zone set at High!, see technical information provided down inside the ZA text provided in the more information service

Is the Trusted Zone Security set to MEDIUM?Yes, see technical information in post


An did you change anything in there? Like "Block incoming ping" (ICMP)?

Nope, changed zip, nada nothing! Not so strange perhaps. The way I read it ZA policy blocks these. Quote:"Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone"

EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX???
on that block it is always from 192.1.168.1.1 to 192.1.168.1.100
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

Yes, set by router

{QUOTE-> Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones?

No, Family Lan is at Internet in FW zones. Internet Zone set at High!, see technical information provided down inside the ZA text provided in the more information service <-QUOTE}


OK, then its normal... If you put TRUSTED, it will not happen...
If you 'restrict' your LAN, your likely to get these warnings, from time to time.

Nothing to worry about.

Fax
P.S. There is no need of masking 192.68.whatever addresses, they are internal IPs. No one outside can do anything with that information ;D

{QUOTE-> While I encourage people to learn about expert rules, there is a reason why they are called "expert". From my experiences helping out in the ZL forums, alot of people using expert rules can't get them to work correctly because they usually don't fully understand the basis for expert rules and how it works. This usually results in a misconfiguration in their expert rules or program settings. <-QUOTE}Then maybe there is a lack of info/support in this area. I believe that if a user wants to create rulesets, for whatever reason, then support sould be given, certainly on a dedicated forum, simply informing a user they are not needed, is to me, not support.

{QUOTE-> Remember that expert rules do not bring added security. Its just a way to give people more reign over their programs. As mentioned I just don't see the point in that unless you are incredibly paranoid. <-QUOTE}I would disagree. As for example, I want to ensure that any updates for my AV are only made from that vendors update sites, why not then set rules for this, with logging. You say such is paranoid, I do not, I call this control/accountability.
Ignorance is not bliss when it comes to security.

{QUOTE-> Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. <-QUOTE}My trust in a program/application is gained over time, I have yet to trust any program 100% simply based on what the vendor or others say. We can see such from windows itself, and the problems/concerns of outbound connections made.

{QUOTE-> OK, then its normal... If you put TRUSTED, it will not happen...
If you 'restrict' your LAN, your likely to get these warnings, from time to time.

Nothing to worry about.

Fax
P.S. There is no need of masking 192.68.whatever addresses, they are internal IPs. No one outside can do anything with that information ;D <-QUOTE}


Stem and Fax:

Could you guys verify/recheck these 2 statements for me, in learning mode so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings?

On masking the 192.168.1.0 type addresses is it technically accurate that no firm or person could use that information for anything?

{QUOTE-> Stem and Fax:

Could you guys verify/recheck these 2 statements for me, in learning mode so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings?

On masking the 192.168.1.0 type addresses is it technically accurate that no firm or person could use that information for anything? <-QUOTE}

Hi!
It is not only to avoid warning but to avoid any mulfuction in your LAN (lost packet, sharing files/printers, connection problems). If security is your primary objective then leave your LAN as untrusted but you should not be suprised if you get alerts in your firewall, may be by simply surfing the net or watching a move in youtube, using your IM software, your webcam, P2P, etc....

If you put, your LAN as untrusted, is good norm to add your router IP as Trusted to avoid communication problems between your router and your system. And if you are sharing resources in your LAN you will need to add those IPs to your trusted zone.

192.168.1.0 is reserved address, internal only. I can't ping you, its like pinging 127.0.0.0 (my/your/any computer). In my case I can tell you that my address is 192.168.2.2 and my router address is 192.168.2.1. You may guess the brand of my router but nothing else because my real IP (the real address and not the translated one) is different. Actually even if I give you my real IP address you cannot do much. Its like you know my home address but you don't have the keys to enter into my house ;D

It is perfectly safe (99% of the cases) to add your LAN as trusted granted that you trust the other elements in your LAN and that the other systems are equally protected as your system.

It is more important to: change the default password of the router, keep the router firmware updated and if you use wireless, to encrypt the connection using WPA/WPA2 with a strong random password (more than 30 characters).

Hope this helps.
Fax

{QUOTE-> so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings? <-QUOTE}Many will say to place your LAN as trusted, simply as this can cause less popups/warnings/ support issues. For me, adding a router is part of my layer of inbound protection, to me, if you simple place this as trusted, then that layer is removed.
I will say, that such as ICMP over an home LAN should be allowed, as without this, problems can/do arrise.
It really comes down to setup/need, example: if in an home LAN, and you use DHCP, then this needs to be taken into account, and yes, it is easier to say trust the DHCP server(router) than create rules. But is this for the better?

{QUOTE-> Many will say to place your LAN as trusted, simply as this can cause less popups/warnings/ support issues. For me, adding a router is part of my layer of inbound protection, to me, if you simple place this as trusted, then that layer is removed.
I will say, that such as ICMP over an home LAN should be allowed, as without this, problems can/do arrise.
It really comes down to setup/need, example: if in an home LAN, and you use DHCP, then this needs to be taken into account, and yes, it is easier to say trust the DHCP server(router) than create rules. But is this for the better? <-QUOTE}


Hi Stem,
if I have understood well, you are not even recommending adding your router IP to the trusted zone... well, if this is the case... it will create some headache to Escaleder when confronted with errors and connection problems...

But I would be curious to see your approach.. such as manual allocation of IPs (turn-off DHCP), set windows PC to managed this...

Well, at least its a way to learn how to deal with networks;D
But to the benefit of Escalader you should then give him concrete directions, otherwise he will be lost.

EDIT: But most of all, will this increase his protection?
Yes, but not proportional to potential difficulties he will encounter with programs/connection missbehaving (including the same ZA)

Fax

Hello fax,
{QUOTE-> if I have understood well, you are not even recommending adding your router IP to the trusted zone... well, if this is the case... it will create some headache to Escaleder when confronted with errors and connection problems... <-QUOTE}As mentioned, it depends on setup/needs, as with "Escalader", the PC is a fixed IP, so no DHCP needed, which is one of the main problems. ARP is allowed, then this again is not a problem.

{QUOTE-> But to the benefit of Escalader you should then give him concrete directions, otherwise he will be lost. <-QUOTE}My spare time is limited these days, but I will certainly use what I have to help anyone here on the forum.

{QUOTE-> Hello fax,
As mentioned, it depends on setup/needs, as with "Escalader", the PC is a fixed IP, so no DHCP needed, which is one of the main problems. ARP is allowed, then this again is not a problem. <-QUOTE}

Yep, OK... thanks for clarifying.
Fax

Thanks, guys your exchange was interesting.

Based on the concept that my router is part of a "layered defense" my words I see it it the same way a critical piece of the set up.

So for now, I will set the ZA FW to internet back from trusted.

Then as messages alters get logged I'll ask how to deal with those that can be accepted since the router and AlphaShield exist. My main concern is outgoing.

Bear with me on all this. 8)

{QUOTE-> Bear with me on all this. 8) <-QUOTE}As long as you want/need, certainly from me.

Let us look at a certain point, DHCP (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)
OK, this can be probmatic, as a need to connect to the DHCP servers (with reply allowed) is needed. Without such, internet connection will not be available. Now with such firewalls that have UDP SPI (state table) then only a need to allow the outbound bootdhcp(broadcast) is needed for this, the reply being allowed via the udp SPI(table). So, no actual allow inbound is required for this, so no need to "trust" the the DHCP server, as with most setups, svchost(XP) is allowed outbound due to this (and/or DNS,.. depending on setup) so the outbound is allowed. ZA does have UDP SPI(table), so there should be no problem.
I do still need to make checks on ZA during boot, I know ZA attempts outbound during boot, so I would presume DHCP as already taken place at that point, but will verify.



I do intend to give you direct answers to you original questions, but I am currently going with the digression, which is still on topic, but does need clarification (such as trusted zone/ use of)

{QUOTE-> Then maybe there is a lack of info/support in this area. I believe that if a user wants to create rulesets, for whatever reason, then support sould be given, certainly on a dedicated forum, simply informing a user they are not needed, is to me, not support. <-QUOTE}
We will give support if user certainly wishes to continue to use expert rules. However sometimes people create rules like allow Firefox to access all internet websites and that really does not differ from the basic program control. Same when people use expert rules to stop it from accessing IPs other than local IPs which could have been easily done again using ZA's program control. Obviously in these cases we tell people what they want can be easily satisfied just using ZA's program control.
{QUOTE-> I would disagree. As for example, I want to ensure that any updates for my AV are only made from that vendors update sites, why not then set rules for this, with logging. You say such is paranoid, I do not, I call this control/accountability.
Ignorance is not bliss when it comes to security. <-QUOTE}
Sure you can but accountability does not mean added security. I can hold my home security alarm accountable for protecting my home but if I am going to leave my doors and windows open, my home will still be robbed in a matter of seconds. The alarm will record that intruders were present(accountable) but security was never there to begin with. I could not install a home security alarm but if I lock my doors and shut my windows tight, my home is still safe (security).
{QUOTE-> My trust in a program/application is gained over time, I have yet to trust any program 100% simply based on what the vendor or others say. We can see such from windows itself, and the problems/concerns of outbound connections made. <-QUOTE}
I guess thats your way of trusting things. For me, its nothing on the computer unless the application is known to be a trusted program. So my trust in a program has to have its trust build up by other people (maybe people like you) before I even it even goes on my PC. You could be like Steve Gibson: no AV etc. but is still very safe since he locks his computer down.

{QUOTE-> As long as you want/need, certainly from me.

Let us look at a certain point, DHCP (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)
OK, this can be probmatic, as a need to connect to the DHCP servers (with reply allowed) is needed. Without such, internet connection will not be available. Now with such firewalls that have UDP SPI (state table) then only a need to allow the outbound bootdhcp(broadcast) is needed for this, the reply being allowed via the udp SPI(table). So, no actual allow inbound is required for this, so no need to "trust" the the DHCP server, as with most setups, svchost(XP) is allowed outbound due to this (and/or DNS,.. depending on setup) so the outbound is allowed. ZA does have UDP SPI(table), so there should be no problem.
I do still need to make checks on ZA during boot, I know ZA attempts outbound during boot, so I would presume DHCP as already taken place at that point, but will verify.

I do intend to give you direct answers to you original questions, but I am currently going with the digression, which is still on topic, but does need clarification (such as trusted zone/ use of) <-QUOTE}

Stem:

Thanks Stem. I know you are busy and I only hope others will benifit from the thread as well!

This is an outgoing block ZA made on my behalf. It seems to be a directed toward my own ISP.

Question: Do I need to alter any basic settings?


ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1316 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-25-2007 03:57:48 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.




ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.

{QUOTE-> Sure you can but accountability does not mean added security. I can hold my home security alarm accountable for protecting my home but if I am going to leave my doors and windows open, my home will still be robbed in a matter of seconds. The alarm will record that intruders were present(accountable) but security was never there to begin with. I could not install a home security alarm but if I lock my doors and shut my windows tight, my home is still safe (security). <-QUOTE}Comparison, why not. Even with doors/windows shut, alarms need to be in place. This is needed, nothing is 100% Windows/doors can be broken.
If a firewall, whichever, was 100%, I would install and tell all to use. Can you tell me of such a firewall, with honesty, from my checking, I still do not know one (any).


{QUOTE-> I guess thats your way of trusting things. For me, its nothing on the computer unless the application is known to be a trusted program. <-QUOTE}I cannot argue with you personal view, if you trust all the programs you install. But may I ask, how do you know/trust a program? Example: A new program online "whatever",.. how would you look at such? Do you install new programs?

{QUOTE-> Do I need to alter any basic settings? <-QUOTE}I am still trying to find a way to stop ZA attempting outbound during boot (why should ZA attempt outbound during boot), also, whatever options are disabled, ZA still attempts to connect out. This was reported as a bug in earlier versions.

{QUOTE-> Comparison, why not. Even with doors/windows shut, alarms need to be in place. This is needed, nothing is 100% Windows/doors can be broken. <-QUOTE}
Ah but my actual home never has an alarm and has never been burgled. Just good old solid door and windows protecting me. Maybe my neighbourhhood is a safe one. :)
{QUOTE-> If a firewall, whichever, was 100%, I would install and tell all to use. Can you tell me of such a firewall, with honesty, from my checking, I still do not know one (any). <-QUOTE}
The best firewall is one I always recommend myself and works 100% if you have it: common sense. Unfortunately, common sense is not really common these days. :( Alot of people when they see alerts or prompts have a tendency for automatically clicking th "Yes" button. A firewall with prompts, alerts can still only do that much
{QUOTE-> I cannot argue with you personal view, if you trust all the programs you install. But may I ask, how do you know/trust a program? Example: A new program online "whatever",.. how would you look at such? Do you install new programs? <-QUOTE}
Reputation and trust spreads easily by word of mouth.

{QUOTE-> I am still trying to find a way to stop ZA attempting outbound during boot (why should ZA attempt outbound during boot), also, whatever options are disabled, ZA still attempts to connect out. This was reported as a bug in earlier versions. <-QUOTE}

That's good Stem, but I could only guess why they might do that during boot. ZA Pro does the message once on a block but then blocks silently so that doesn't bother me.

I'm leaving my Family Lan as Internet not trusted based on your concept. Let's move on to the next question in original post.

But at any rate what I would really like to do now is set ZA Pro to run in as optimum a way as is possible on my setup behind the Router/AlphaShield router the way it is designed to work.

Then much later try to fix any flaws in my setup with your help and any other FW experts here. Maybe we will run a shields up or other test on my system to find and report the flaws.


But for you this part of the last block help page may/maynot give a clue:

"To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first."

@Escalader,

So was the log showing the DNS lookup blocked at startup(or re-boot), if yes, then it was probably "windows time" that was making this attempt (or another windows service). I will set up a little later on a test PC, just to check through what is allowed/blocked (in/out) during bootup.

{QUOTE-> @Escalader,

So was the log showing the DNS lookup blocked at startup(or re-boot), if yes, then it was probably "windows time" that was making this attempt (or another windows service). I will set up a little later on a test PC, just to check through what is allowed/blocked (in/out) during bootup. <-QUOTE}

Great Idea Stem.

I'm on ZA Pro so I don't know if that makes a difference to your test PC.

I just cleared all logs and will reboot and send in the in/outs during my boot in order to answer your question easier

{QUOTE-> Great Idea Stem.

I'm on ZA Pro so I don't know if that makes a difference to your test PC.

I just cleared all logs and will reboot and send in the in/outs during my boot in order to answer your question easier <-QUOTE}

I see no blocks at login time:

What I have now is program control set to high where ZA says they must ask for IA and server rights. I still have component control off. Should I engage it? Anybody? Here are some log entries I got:

First New Log entry

Windows Explorer is trying to use another program to connect to the Internet or your local network.

ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
Inside the program alert



Alert property Alert property value Technical explanation
Program Name Windows Explorer A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename EXPLORER.EXE The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) The version of Windows Explorer running on your computer.
Program Size 1032192 The size of the program executable file in bytes.
Program MD5 a0732187050030ae399b241436565e64 The MD5 hash, or number, that uniquely identifies the executable.
Program CRC e67b9ac9 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
Date Modified Aug-04-2004 06:00:00 AM The date when EXPLORER.EXE was most recently modified.
Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows Explorer or Server, which indicates that Windows Explorer is waiting for connections coming in from the Internet.
Remote Port 53 The port Windows Explorer is using on the remote computer.
Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
Alert Date Apr-26-2007 12:05:18 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Program Status New Parent Program Windows Explorer is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows Explorer has attempted indirect access.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.


Next New Entry


Windows NT Logon Application is trying to use another program to connect to the Internet or your local network.

ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
Inside the program alert



Alert property Alert property value Technical explanation
Program Name Windows NT Logon Application A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename WINLOGON.EXE The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) The version of Windows NT Logon Application running on your computer.
Program Size 502272 The size of the program executable file in bytes.
Program MD5 01c3346c241652f43aed8e2149881bfe The MD5 hash, or number, that uniquely identifies the executable.
Program CRC 640920a2 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
Date Modified Aug-04-2004 06:00:00 AM The date when WINLOGON.EXE was most recently modified.
Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows NT Logon Application or Server, which indicates that Windows NT Logon Application is waiting for connections coming in from the Internet.
Remote Port 53 The port Windows NT Logon Application is using on the remote computer.
Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
Alert Date Apr-26-2007 12:04:26 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Program Status New Parent Program Windows NT Logon Application is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows NT Logon Application has attempted indirect access.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.

Previous Session entry on quicken, I denied it seems to have zero effect on program usuage



Quicken Launcher is trying to monitor your system to observe what events are occurring.

ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.
Inside the OSFirewall alert



Alert property Alert property value Technical explanation
Program Name Quicken Launcher A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename qw.exe The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 15.1.1.179 The version of Quicken Launcher running on your computer.
Program Size 13312 The size of the program executable file in bytes.
Program MD5 23f5bdb7ef472d3c55e242c85217730d The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 4156e899de16b4e31f221662134628ca The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Aug-15-2005 05:18:30 AM The date when qw.exe was most recently modified.
Event Type Execution The event involved executing Windows instructions.
Sub Event Type ExecutionGlobalWindowsHook Quicken Launcher attempted to set

@Escalader,

For indirect access(trying to use another program to connect to the Internet), you need to be carefull. Such processes as "WINLOGON.EXE" if denied this can cause your browser not to be able to connect.

As for bootup.
I have setup with ZA installed on a PC on LAN, behind a gateway, just to check for DHCP etc, and to see what is being sent out. I have set the LAN as "Internet", and unchecked the "Allow broadcast" for that zone.
DHCPboot (with reply) is allowed: ARP(with reply) is allowed: ICMP is allowed(the gateway is pinged during boot, even with ICMP not allowed): IGMP is allowed(even with this not allowed).
So having the LAN as "Internet" from these results, will not cause problems for DHCP (renewal is also allowed)

ZA is still attempting to connect to Zonelabs during/after boot/ on close down, with whatever settings I make within the firewall. If your previous statement still stands: {QUOTE-> My main goal in all this is to control/ block outgoing packets that have no business leaving my PC <-QUOTE}Then I would suggest removing ZA.

{QUOTE-> @Escalader,

For indirect access(trying to use another program to connect to the Internet), you need to be carefull. Such processes as "WINLOGON.EXE" if denied this can cause your browser not to be able to connect.

As for bootup.
I have setup with ZA installed on a PC on LAN, behind a gateway, just to check for DHCP etc, and to see what is being sent out. I have set the LAN as "Internet", and unchecked the "Allow broadcast" for that zone.
DHCPboot (with reply) is allowed: ARP(with reply) is allowed: ICMP is allowed(the gateway is pinged during boot, even with ICMP not allowed): IGMP is allowed(even with this not allowed).
So having the LAN as "Internet" from these results, will not cause problems for DHCP (renewal is also allowed)

ZA is still attempting to connect to Zonelabs during/after boot/ on close down, with whatever settings I make within the firewall. If your previous statement still stands: Then I would suggest removing ZA. <-QUOTE}

Wow, that's quite a suggestion Stem. This has been a bad week for me so this suggestion fits in with the theme of the week... ! I'm now scared on the FW front!

Are you saying that I should remove ZA because it is allowing packets to leave my PC that shouldn't leave?

If the answer is yes, then I need a replacement FW ASAP! I don't think PC Tools FW + will do better will it?

I want to make sure I am not misunderstanding you here! Be as blunt as you need to be to make your points. I'm in learning mode and if you have to hit me over the head to make a point go for it!

{QUOTE-> Are you saying that I should remove ZA because it is allowing packets to leave my PC that shouldn't leave? <-QUOTE}We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this.

{QUOTE-> We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this. <-QUOTE}


Stem,
do you think that the Outpost F/W would be a better choice....based on your
experience?

{QUOTE-> We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this. <-QUOTE}

Hi Stem,

as far as I know this was fixed long time ago... did you follow this document to block all communication with ZA?

http://download.zonelabs.com/bin/free/pressReleases/2005/pr_22.html

Fax

{QUOTE-> Hi Stem,

as far as I know this was fixed long time ago... did you follow this document to block all communication with ZA?

http://download.zonelabs.com/bin/free/pressReleases/2005/pr_22.html

Fax <-QUOTE}

Stem/Fax:

Guy's I am at sea here.

It would be unwise to remove ZA Pro until I have a better replacement and or a fix and or an adequate explanation on this connection out issue. I'm sure I'm not the only one that wants to know.

The way I read this is Stem did behind the router tests and got the results he published a few posts back and found packets leaving and connecting out attempts during and before boot and during close down. These have yet to be explained properly. Or if there are good reasons for these connections out what are they? Is it possible they want to update it first before anything else loads? ZA is in business there must be an explanation available and it must be in their best interest to tell everybody here what it is?

Fax, I think you are saying this is an old bug fixed long ago.:-\

But if that were the case , how is it Stem got the results he did? Unless he has an unrepaired version, which seems unlikely. Why would the user have to follow a link to fix a bug or block all communications with ZA?

Come to think of it I want to communicate with ZA to get the latest fixes and updates to the ASW. I did not join the optional share setting service or opt for AV monitoring on the basis of security so that is not an issue (I hope)on my PC.

Stem, what version of ZA were you testing with? Mine is 7.0.337 which I hope is current.

I really think we need to avoid FUD here and I for one intend to avoid precipitous actions or assumptions. ZA will I hope clear this matter up.

Here is the explain help on contact with ZA, on my PC does this offer us any clues on these connections?

Setting contact preferences
Setting contact preferences ensures that your privacy is protected when ZoneAlarm security software communicates with ZoneAlarm (for example, to check automatically for updates).

To set contact preferences:

Select Overview|Preferences.
In the Contact with ZoneAlarm area, specify your preferences.
Alert me with a pop-up before I make contact Displays a warning before contacting ZoneAlarm to deliver registration information, get product updates, research an alert, or access DNS to look up IP addresses.
Note: There are certain situations in which you will not be notified before contact is made. Those include sending DefeneseNet data to ZoneAlarm, contacting ZoneAlarm for program advice, when an anti-virus update is performed, or when monitoring your anti-virus status. The "Share setting anonymously..." setting below, turns off the DefenseNet transfer. All other settings can be disabled from the main tab of their respective panels.
Hide my IP address when applicable Prevents your computer from being identified when you contact Zone Labs, LLC.
Hide the last octet of my IP address when applicable Omits the last section of your IP address (for example, 123.456.789.XXX) when you contact Zone Labs, LLC.
Share my security settings anonymously with ZoneAlarm Periodically sends anonymous configuration data to ZoneAlarm. For more information, see Joining the DefenseNet community .
Note: Configuration data is not collected from ZoneAlarm or ZoneAlarm Anti-virus users.

{QUOTE-> Stem/Fax:

But if that were the case , how is it Stem got the results he did? Unless he has an unrepaired version, which seems unlikely. Why would the user have to follow a link to fix a bug or block all communications with ZA?

<-QUOTE}

That is exactly the point, you should not worry about ZA contacting ZA servers. If ZA is your primary defence (or part of your security package) then you should care about everything else around it.

If you start to question why ZA is contacting ZA servers and you do not want ZA to contact ZA then better you remove ZA and use another software that you can trust. Trust on your securty tools is your starting point.

This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN".

I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA :)

Fax

{QUOTE-> what version of ZA were you testing with? Mine is 7.0.337 which I hope is current. <-QUOTE}Yes, I was looking at this latest version.

{QUOTE-> That is exactly the point, you should not worry about ZA contacting ZA servers. If ZA is your primary defence (or part of your security package) then you should care about everything else around it. <-QUOTE}If I had auto updates etc enabled, then I would have to trust that the firewal would only do as I have allowed in the options I have enabled. But, as I have ALL these options disabled, I then trust the firewall NOT to make any unauthorized outbound,... but ZA does.

{QUOTE-> If you start to question why ZA is contacting ZA servers and you do not want ZA to contact ZA then better you remove ZA and use another software that you can trust. <-QUOTE}That is why I have suggested that "Escalader" should remove ZA

{QUOTE-> I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA <-QUOTE}Making settings within a firewall is to protect the user, As "Escalader" shows concern as to what is leaving the PC, then I do need to point out the fact that ZA is making unauthorized outbound.

I would (and do) make a point of any firewall, or any application that was/is making unauthorized outbound comms. What a user does with this info is then up to themselves.

{QUOTE-> This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN" <-QUOTE}If ZA was to stop making unauthorized outbound, then it would not be an issue.

{QUOTE-> Yes, I was looking at this latest version.

If I had auto updates etc enabled, then I would have to trust that the firewal would only do as I have allowed in the options I have enabled. But, as I have ALL these options disabled, I then trust the firewall NOT to make any unauthorized outbound,... but ZA does.

That is why I have suggested that "Escalader" should remove ZA

Making settings within a firewall is to protect the user, As "Escalader" shows concern as to what is leaving the PC, then I do need to point out the fact that ZA is making unauthorized outbound.

I would (and do) make a point of any firewall, or any application that was/is making unauthorized outbound comms. What a user does with this info is then up to themselves. <-QUOTE}


Yes, Fine Stem... I understand your point. :)

Given your great expertise can you detail the server/ports and what is unathorizely sent (the exact string and lenght)?

Thanks,
Fax

{QUOTE-> can you detail the server/ports and what is unathorizely sent (the exact string and lenght)? <-QUOTE}

189427

If there are settings/options that may cause this (that I may of missed) please advise.

update
I am trying to find what the above comms could be, thinking there may be a problem with installation (or bug/conflict). So to compare comms, I have made a manual program update check with ZA:- (ZA shown as up to date)
189428


Edit:
Interesting, since making the manual update attempt, ZA is no longer connecting out. On re-boot, ZA does make DNS lookup for Zonelabs.com, but does not make outbound connection.
I will keep a check.

{QUOTE-> .......Trust on your securty tools is your starting point.

This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN".

I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA :)

Fax <-QUOTE}

This is correct, my thread is about How to set optimum settings in ZA Pro!

Since I have very strong input control via the hardware FW and the router, my security concern is tilted more to output packet control.

I'm assuming that when this issue of outbound connections is resolved and dealt with by Stem and other posters to all our satisfaction that we can proceed to the next question in my first posts.

In fact to show more than my usual flexibility::),;D I'm willing to do that now while waiting for those with the expert knowledge to answers this connect issue. I am willing to assume there is a positive answer to it.

IMHO Trollers, will always be with us but what they do and how others react to these posts I think is way beyond the scope of this thread. We should not let the possible viewing by them influence what we do professionally.

Regards to all, lets remain calm

{QUOTE-> when this issue of outbound connections is resolved and dealt with..... <-QUOTE}At this moment in time, I am now looking at the outbound by ZA as a bug. As now, after the manual update I made, these comms have stopped. But of course, I will monitor.


Right, down to your questions.

{QUOTE-> (1) Main Firewall.
What setting should user set Internet zone security?
What is custom used for and how to approach using it? <-QUOTE}I currently have my LAN as internet, with high settings in both "Internet and Trusted" zone.
On my setup, (I have re-set Group policy in windows, so all default services are active, as would be with many users) I have unchecked the "Allow Broadcast/Multicast", as this was just noise, such as uPnP, netbios broadcasts. DHCP and ARP are still allowed, so no connection problems due to this.
As for the other settings for "Custom", I do not think they need changing. But if you have questions?
If not, we can move to your second question.

{QUOTE-> 189427

On re-boot, ZA does make DNS lookup for Zonelabs.com, but does not make outbound connection.
I will keep a check. <-QUOTE}

Thanks for further investigating on it.

"cm2.zonelabs.com" assists in the functioning of various services including the AlertAdvisor, antivirus/antispyware updates, and antivirus monitoring.

{QUOTE-> This is correct, my thread is about How to set optimum settings in ZA Pro! <-QUOTE}

Ehm, yes, sorry..... back to the original subject... :)

Fax

{QUOTE-> ....... As now, after the manual update I made, these comms have stopped. ......Stem, do you mean the update of the product itself as in Preferences update, manual?


Right, down to your questions.

I currently have my LAN as internet, with high settings in both "Internet and Trusted" zone. Right I have the same
On my setup, (I have re-set Group policy in windows, so all default services are active, as would be with many users) I have unchecked the "Allow Broadcast/Multicast", I copied you there and did the sameas this was just noise, such as uPnP, netbios broadcasts. DHCP and ARP are still allowed, so no connection problems due to this.
As for the other settings for "Custom", I do not think they need changing. But if you have questions?
If not, we can move to your second question. <-QUOTE}

Before doing that:

In my Zones I have attached a jpg image, please look this list over and tell me if I am fuzzy headed in putting specific sites in such as BitDefender etc and MY ISP?

{QUOTE-> do you mean the update of the product itself as in Preferences update, manual? <-QUOTE}Yes,... Za-> Overview-> Preferances

{QUOTE-> In my Zones I have attached a jpg image, please look this list over and tell me if I am fuzzy headed in putting specific sites in such as BitDefender etc and MY ISP? <-QUOTE}No need to place IP`s within the "Internet zone".
Certain setting can place certain "networks" as trusted, but it does depend on settings. Go to "Firewall-> Main-> Advanced" Here you see a number of settings/options. At the bottom of this, you will see "Network settings" ensure this is set as "Ask which Zone to place new networks in upon detection"

{QUOTE-> Yes,... Za-> Overview-> Preferances

No need to place IP`s within the "Internet zone".

Right, I'll remove it.
Certain setting can place certain "networks" as trusted, but it does depend on settings. Go to "Firewall-> Main-> Advanced" Here you see a number of settings/options. At the bottom of this, you will see "Network settings" ensure this is set as "Ask which Zone to place new networks in upon detection"
I went there and it was already checked, thanks. What about other settings in advanced?

<-QUOTE}

What about the other entries I made for my security software like BitDefender site, Webroot, and ZA itself etc etc does that make sense to you?

Certain IP`s/ranges cause question, such as private/reserved: example 192.168.***.*** / 10.*** etc. So confirmation is needed as to if these IP`s/ranges should be trusted or not. IP`s which are not private/reserved are internet, and no need for confirmation is needed, As with the IP`s for (example) "Spy sweeper" this will be seen as "Internet".

For the Zones, the main concern is:-
What is/should be blocked.
What is trusted, and should be placed here.

All else is internet. (if possible exception(as for reserved), you will be asked, due to your settings)

{QUOTE-> What about other settings in advanced?
<-QUOTE}Sorry, I missed that question.

Gateway Security: Not needed in your setup, as this is a check on compatible gateways within a LAN.
Internet Connection Sharing: Default setting can be left on your setup.
General setting:
Block all fragments, Normally, blocking fragmented packets will not cause problems, and adds extra filtering protection. With normal day to day surfing, I do not see fragmented packets.
Block Trusted servers: Block Internet servers. These are over-rides to the program control settings, if set, they will block any program from acting as server in the zone selected. (if connected directly to the internet, and you do not use server software, then selecting "Block Internet servers" is a good option, as this will prevent any possible mis_config of allowing unsolicited inbound to programs that may of been allowed server status unintentionally)
Enable ARP Protection: This is mainly for large possibly untrusted LAN, to stop attempt of ARP poisoning. With this enabled, unsolicited ARP will be dropped. You can enable this, it will not affect your connection.
Filter IP traffic over 1394 Some PC connections can be made over firewire (I do this for some debugging/tests). Firewire is also used for some external connections to external HD etc. This setting will depend on what you have(if anything) connected over 1394
Allow VPN/ uncommon protocols. This depends on the needs of your own setup. If you do not know what these are, then you more than likely do not need to enable these.
Lock Hosts FileIf you use the windows hosts file, then enabling this will protect that file.
Disable windows FirewallThis is just to make sure that the windows firewall is disabled.

{QUOTE-> Sorry, I missed that question. No sweat when that happens I'll just ask again, you are a busy person!

Gateway Security: Not needed in your setup, as this is a check on compatible gateways within a LAN. I unchecked this then
Internet Connection Sharing: Default setting can be left on your setup. OKay, done
General setting:
Block all fragments, Normally, blocking fragmented packets will not cause problems, and adds extra filtering protection. With normal day to day surfing, I do not see fragmented packets. Good I have now enabled this!
Block Trusted servers: Block Internet servers. These are over-rides to the program control settings, if set, they will block any program from acting as server in the zone selected. (if connected directly to the internet, and you do not use server software, then selecting "Block Internet servers" is a good option, as this will prevent any possible mis_config of allowing unsolicited inbound to programs that may of been allowed server status unintentionally) Hum confused here due to brain defect no doubt, how do I know if I use a program as a server? When I update say SpySweeper am I using it as a server, this is a conceptual gap I have, so I have done nothing with the boxes. When in doubt do nothing is my rule ::)
Enable ARP Protection: This is mainly for large possibly untrusted LAN, to stop attempt of ARP poisoning. With this enabled, unsolicited ARP will be dropped. You can enable this, it will not affect your connection. Done!
Filter IP traffic over 1394 Some PC connections can be made over firewire (I do this for some debugging/tests). Firewire is also used for some external connections to external HD etc. This setting will depend on what you have(if anything) connected over 1394 :-\ I don't know if I do or not, left default as ticked.
Allow VPN/ uncommon protocols. This depends on the needs of your own setup. If you do not know what these are, then you more than likely do not need to enable these. Okay, I haven't!
Lock Hosts FileIf you use the windows hosts file, then enabling this will protect that file. I decided to block it, but it may duplicate what SS does.
Disable windows FirewallThis is just to make sure that the windows firewall is disabled. Right, it is disabled <-QUOTE}

Stem: Thanks again. We are proceeding well one by one like a good programmer should! :thumb:

Hello Stem and all concerned!

Now I have a new alert! Blocking IP authentation I think ? See attached image and advise how to handle!

As a typical user I don't want to spend time responding to alerts that should be automated. I may have done something wrong settings wise(again!)

Thanks in advance

{QUOTE-> Hello Stem and all concerned!

Now I have a new alert! Blocking IP authentation I think ? See attached image and advise how to handle!

As a typical user I don't want to spend time responding to alerts that should be automated. I may have done something wrong settings wise(again!)

Thanks in advance <-QUOTE}

Hi Escaleder!

For troubleshooting purpose and to help Stem, it would important to post a screenshot of the details of the alert.
Such as Originating IP, Destination IP. I think this is reported under the "details" or "technical info tab (?)

More stringent are the rules more likely you will get copious warnings from ZA. It can help also to set ZA "high" in term of "alerts event shown" (alerts and logs tab) in a way that you will get instantly these warnings and you may better guess what could have caused them (depending on what you were doing in that moment). Unless this alert was already a pop-up from ZA.

Cheers,
Fax

{QUOTE-> how do I know if I use a program as a server? When I update say SpySweeper am I using it as a server, <-QUOTE}A server is a program that requires inbound connections.

{QUOTE-> Now I have a new alert! Blocking IP authentation I think <-QUOTE}What program is being blocked in the alert? (it should be svchost(XP) making DHCP). Did you have the Internet lock enabled at the time?

{QUOTE-> Hi Escaleder!

For troubleshooting purpose and to help Stem, it would important to post a screenshot of the details of the alert.
Such as Originating IP, Destination IP. I think this is reported under the "details" or "technical info tab (?)

More stringent are the rules more likely you will get copious warnings from ZA. It can help also to set ZA "high" in term of "alerts event shown" (alerts and logs tab) in a way that you will get instantly these warnings and you may better guess what could have caused them (depending on what you were doing in that moment). Unless this alert was already a pop-up from ZA.

Cheers,
Fax <-QUOTE}


Yes, I think I can do that next time it pops! But let me look in the logs now and see if the detail ( where the devil lives) is there,,,, I think it is recorded in attachment

{QUOTE-> A server is a program that requires inbound connections.

Right, so that would include email, updates to security software, the OS itself.Other programs I have I would not want to accept incoming or send outgoing, eg: Age of Empires Game or ant game for that matter,

What program is being blocked in the alert? (it should be svchost(XP) making DHCP). Did you have the Internet lock enabled at the time? <-QUOTE}

Can't tell you what program is being blocked, you must be correct though, not the internet lock was not on!

{QUOTE-> Yes, I think I can do that next time it pops! But let me look in the logs now and see if the detail ( where the devil lives) is there,,,, I think it is recorded in attachment <-QUOTE}

Yep, it should be in the Alerts and Logs --> alert type: firewall. Select it and then push "more info" and it will bring back that webpage...

FAx

{QUOTE-> Right, so that would include email, updates to security software, the OS itself. <-QUOTE}No, these do not require inbound connections, these programs make outbound connections to a server (such as for updates). In your setup, to be able to run server software, you would need to remove the alpha shield, and port forward in your router, then enable your server program "Server Internet".
It is only such programs as P2P/Torrent clients than run as servers, so other users can connect in.


{QUOTE-> Can't tell you what program is being blocked, you must be correct though, not the internet lock was not on! <-QUOTE}Well, if svchost (Generic Host process for Win32 Services) is allowed Access to the internet, then DHCP should be allowed. It sounds buggy to me.

{QUOTE-> No, these do not require inbound connections, these programs make outbound connections to a server (such as for updates). In your setup, to be able to run server software, you would need to remove the alpha shield, and port forward in your router, then enable your server program "Server Internet".
It is only such programs as P2P/Torrent clients than run as servers, so other users can connect in.

Ah so! I never never want users connecting to my PC. Unless in another life I start a ISP service!;D Now I get it, the light went on, when I update I use the vendors server! Good!


Well, if svchost (Generic Host process for Win32 Services) is allowed Access to the internet, then DHCP should be allowed. It sounds buggy to me. Buggy? Whose bug, me on set up or them is sending alterts? I'm at sea again, someday I'll learn to swim! <-QUOTE}

Okay, here is an incoming block that may shed light (maybe not)

Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 10:55:04 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your co

{QUOTE-> Buggy? Whose bug, me on set up or them is sending alterts? I'm at sea again, someday I'll learn to swim! <-QUOTE}ZA for blocking the packet. Only if you have svchost blocked from internet access (or if you enable the internet lock) should DHCP be blocked



The info you have posted does not match the alert you gave earlier. In your post of the alert, this was for DHCP (port 68), In your last post, this info is for DNS (port 53)

{QUOTE-> ZA for blocking the packet. Only if you have svchost blocked from internet access (or if you enable the internet lock) should DHCP be blocked

Where in ZA would I look to see if the svchost is blocked? Didn't we agree a few posts back on setting to lock the hosts file? Or is this a different thing?



The info you have posted does not match the alert you gave earlier. In your post of the alert, this was for DHCP (port 68), In your last post, this info is for DNS (port 53) <-QUOTE}

I did post 2 alterts one in one out Sorry for my confusion. Here is the log entry for port 53.

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
What happened?

ZoneAlarm Pro blocked an outbound communication to a Domain Name Server. The function of a Domain Name Server (DNS) is to convert a domain's IP address, such as 207.25.71.28, into a recognizable name, such as www.cnn.com.


Should I be concerned?

There is usually no reason to worry about this alert, but it should be investigated. One possibility is that your application attempted to send a query out to the Internet before ZoneAlarm Pro started running on your machine at start-up time. By default, ZoneAlarm Pro is loaded when Windows first starts up. This minimizes the possibility that an application will establish an Internet connection before the TrueVector Service is loaded.


What should I do?

Your internet application may not be not working properly. In that case, stop the application, then restart it. This often fixes the problem and in that case, you will not receive this alert again. In addition, go to the Configure panel to make sure that ZoneAlarm Pro is configured to load when Windows starts. You can also run regular checks on your machine for viruses and Trojan horses.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 09:36:54 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.






Related Links




ZoneAlarm web site pages that may be helpful:

ZoneAlarm Online Support
ZoneAlarm Home Page

{QUOTE-> I did post 2 alterts one in one out Sorry for my confusion. Here is the log entry for port 53. <-QUOTE}It was the log entry for the alert that you posted in post#51 (for DHCP). But it does not matter, you do not need to post that.

{QUOTE-> Where in ZA would I look to see if the svchost is blocked? Didn't we agree a few posts back on setting to lock the hosts file? Or is this a different thing? <-QUOTE}Different.
For svchost, look in ZA ->Program control->Programs. svchost is named as "Generic Host Process for Win32 Services"

If DHCP was being blocked, then you would get an alert every 5mins, and eventually you would not be able to connect to the internet.
It must be a bug within ZA.

{QUOTE-> It was the log entry for the alert that you posted in post#51 (for DHCP). But it does not matter, you do not need to post that.

Different.
For svchost, look in ZA ->Program control->Programs. svchost is named as "Generic Host Process for Win32 Services"

If DHCP was being blocked, then you would get an alert every 5mins, and eventually you would not be able to connect to the internet.
It must be a bug within ZA. <-QUOTE}

Stem:

It is happening frequently, but ZA messages imply that repeated messages will not show up.

In Program control->Programs. "Generic Host Process for Win32 Services" shows Server is trusted but Internet is blocked. Does fact that we placed Family Lan as Internet not trusted cause this. The ZA seems to think the router should be trusted whereas you and I are saying no, it is part of the defense. Well it is defending and this is the price?

With the number of people for good or ill using ZA does it seem likely it is a bug or more likely I have installed it wrong or set it up wrong? We are still only part way my learning thread. Right now the Program control is at medium and component control in learning mode.

The latest block help says:

ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address. If you received an alert that ZoneAlarm Pro is blocking broadcast address 255.255.255.255 then that is confirmation your computer is asking for an address assignment from a DHCP server

The help offer to add it's IP 192.168.1.101 to the trusted zone ! I didn't do this.

I will add the 255.255...... to the internet zone and ask what will happen?

@Escalader,
My test PC as only ZA installed,.. My direct tests only check the firewall, not conflicts with other software.
What you are seeing is certainly a problem with ZA, possibly with other software. For a firewall to block outbound DHCP is a major problem. If this was inbound, then some explanation can be made.

I will start indepth checking, as this needs to be checked/resolved. From my installation/checks I do not see any problem, apart from the initial outbound attempts. But I am certainly interested/concerned.

{QUOTE-> @Escalader,
My test PC as only ZA installed,.. My direct tests only check the firewall, not conflicts with other software.
What you are seeing is certainly a problem with ZA, possibly with other software. For a firewall to block outbound DHCP is a major problem. If this was inbound, then some explanation can be made.

I will start indepth checking, as this needs to be checked/resolved. From my installation/checks I do not see any problem, apart from the initial outbound attempts. But I am certainly interested/concerned. <-QUOTE}

Yes, I agree with all your concerns. I restarted my PC after setting 255.255.255.255 to the internet zone. Since then the alerts and blocks to/from DHCP have stopped.

The question I have is why would I as a "typical" FW user even have to do this in a commercial FW product?

Personally I don't mind doing it inside a learning thread, but I didn't start out trying to debug anything let alone ZA Pro.

As an experiment what do you think about me reversing the 255 trick to see if the alerts resume?

{QUOTE-> As an experiment what do you think about me reversing the 255 trick to see if the alerts resume? <-QUOTE}The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s.

Hi!
probably one of the reason why Stem does not get those warnings is that he does not rely on the router for the IPs allocation and DNS resolving....

How is your set up Stem?

So, in principle, your next step in securing your connection is to disable DHCP in your router and set the different XP machine with fixed IPs and DNS information.

Fax

Hello fax,

I can understand your thought on this. But basically, what you are saying is to disable DHCP, so there would be no need for outbound/inbound DHCP. This is not a fix, but a workaround. Svchost(XP) should not be blocked from making outbound DHCP, unless internet access is denied to svchost(XP), or the internet lock is active. This is the same for DNS(when DNS service/client is active)

{QUOTE-> The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s. <-QUOTE}

Good Morning Stem, boy this is some learning thread for me! I started in grade school now I'm in Q and A at grad school, but I'm not complaining.

I will do the remove 255.255.255.255 and enable Allow Broadcast.... But 1st let me give you some symptoms from my start up this AM. My PC couldn't acquire an address, last nite when I shut down I had disconnected from the internet closed all security including ZA. I played a standalone game to get some fun out of the PC for a bit. (therapy;D )

This morning I started up, all security software came to life, 1st BD 10appears on the task bar, then SS 5.3 then ZA pro. But of course no connection since it was off from last nites close down.

Then I got some alterts that seem to me to be down the track you are checking for me and all others who I hope are benefiting from the thread!

They are attached as images: Please look at these and advise if your removal step is still the way to go:-\

189456

Hello Escalader,

Good morning to you, although it is 3:45 PM here in the UK

Interesting alerts/log. I am currently in a thread concerning DHCP and the low level needs for this (http://www.wilderssecurity.com/showthread.php?p=993304#post993304). I have still to see any such alert from ZA, although due to my settings within ZA, these would be only log entries.

I can only, at this time go from your info, and what I see in my own setup. I do not see blocked broadcast, or even blocked IGMP on boot. I have/do make many boot on the test PC (with installed ZA), I will now perform this again, and show you the logs from my gateway, with what is logged in ZA

Just give me 15mins while I boot ZA a few time, to compare logs made, I will then show you what is happening during boot. My gateway is allowing all outbound from the test PC (as if it was connected directly to the internet, it is just a case of further filtering by my gateway (invalids etc), but there are no restictions on what outbound is allowed. (if my gateway does show any outbound blocked from ZA, I would adjust to allow,.. to see what connections are being made)

{QUOTE-> Hello fax,

I can understand your thought on this. But basically, what you are saying is to disable DHCP, so there would be no need for outbound/inbound DHCP. This is not a fix, but a workaround. Svchost(XP) should not be blocked from making outbound DHCP, unless internet access is denied to svchost(XP), or the internet lock is active. This is the same for DNS(when DNS service/client is active) <-QUOTE}

yep, but I think previous DHCP warnings were not outbound but inbound...

Fax

{QUOTE-> yep, but I think previous DHCP warnings were not outbound but inbound...

Fax <-QUOTE}http://www.wilderssecurity.com/showthread.php?p=993182#post993182 this is outbound, unless the report is incorrect

If this is a probem with ZA, which at the moment it looks possible, then I would prefer to confirm this, then reports can be made to ZA. This helps ZA to resolve such problems, and if resolved, then stops problems for the end user.

{QUOTE-> http://www.wilderssecurity.com/showthread.php?p=993182#post993182 this is outbound, unless the report is incorrect <-QUOTE}

Hi!
I was referring to this:
http://www.wilderssecurity.com/showpost.php?p=993329&postcount=62

"ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address"

Fax

{QUOTE-> Hello Escalader,

Good morning to you, although it is 3:45 PM here in the UK

Interesting alerts/log. I am currently in a thread concerning DHCP and the low level needs for this (http://www.wilderssecurity.com/showthread.php?p=993304#post993304). I have still to see any such alert from ZA, although due to my settings within ZA, these would be only log entries.

I can only, at this time go from your info, and what I see in my own setup. I do not see blocked broadcast, or even blocked IGMP on boot. I have/do make many boot on the test PC (with installed ZA), I will now perform this again, and show you the logs from my gateway, with what is logged in ZA

Just give me 15mins while I boot ZA a few time, to compare logs made, I will then show you what is happening during boot. My gateway is allowing all outbound from the test PC (as if it was connected directly to the internet, it is just a case of further filtering by my gateway (invalids etc), but there are no restictions on what outbound is allowed. (if my gateway does show any outbound blocked from ZA, I would adjust to allow,.. to see what connections are being made) <-QUOTE}


No rush, Stem! Take all the time you need.
It is noon here clear and cool!

My PC is running I got connected by setting the 255.255.... to TRUSTED.

For all posters here, I'm reading all contributor's posts, but unless Stem tells me to do/change something I'm viewing them as data for Stem! If I act any other way the learning thread will go out of control.

On a personal note, Stem is to be commended for his dedication and patience in doing this work here, which IMO goes way beyond the normal call of duty! I can never repay him, I will try of course. Let's not guess at possible reasons let's KNOW from a base either of a test, a log a fact it just deflects energy and time. This is a technical thread, so like the old detective series years ago ' just the facts ... please!" ... circa Joe Friday.;D

A reminder, I'm trying to optimize ZA pro settings. Not trying to debug the product. If bugs are found, so be it. They can be reported but in my view that is secondary till finished with the ordered list of OP questions.

{QUOTE-> If this is a probem with ZA, which at the moment it looks possible, then I would prefer to confirm this, then reports can be made to ZA. This helps ZA to resolve such problems, and if resolved, then stops problems for the end user. <-QUOTE}

I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same.

I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

Fax

{QUOTE-> I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same.

I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

Fax <-QUOTE}

Thanks for the opinion. I don't use IM it is disabled.

I'll wait for Stem's results and take next steps based on his tests and my actual observations.

It's not really that complicated for me at all very interesting work though!;D

{QUOTE-> I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same. <-QUOTE}As I have mentioned, my setup is a base XP setup. All base(default) XP services are enabled. From this, I have DHCP enabled, DNS client/service enabled. From a typical end user, these are base settings, even behind a router. Yes, changing windows settings can.will change the needs of comms, but the thread is for settings within ZA, not the OS

{QUOTE-> I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

<-QUOTE}At this point, I have only connected out via IE from testPC.

{QUOTE-> At this point, I have only connected out via IE from testPC. <-QUOTE}

Yes, this was more for Escaleder then you... sorry for the misunderstandings...

Fax

Not sure if this is the same thing you guys are talking about but I thought I'd throw it out there anyway...

When I was using ZA Pro 7.0.377 a while back, I had my local network set to Internet and I was getting a lot of firewall log entries denying service host - even though I had it set to super in program control. Someone on the ZA forum suggested that I add the DNS and DHCP server address as trusted. By using Ipconfig/all at the command prompt, I found that my router was the DNS / DHCP server. So I added my router address as trusted (along with the loopback adapter (127.0.0.1) and the logging problem for service host went away and never came back. I don't know if this causes a security concern...

My setup is WinXP SP2, SS 5.3, Nod32 2.7. Verizon Fios IP, Actiontec router w/ SPI and NAT.

If this info is not germane to the present discussion, please disregard and continue with this excellent and educational thread.

Regards,
Oldshep

{QUOTE-> Not sure if this is the same thing you guys are talking about but I thought I'd throw it out there anyway... <-QUOTE}

Yep, that would solve the problem... but they excluded adding the router to the trusted zone.... Or more simply setting the LAN to trusted.
Its more an excercise to set everything per book. Interesting indeed but practically (day to day use) unnecessary (IMO).

Fax

{QUOTE-> ......

....... Someone on the ZA forum suggested that I add the DNS and DHCP server address as trusted. By using Ipconfig/all at the command prompt, I found that my router was the DNS / DHCP server. So I added my router address as trusted (along with the loopback adapter (127.0.0.1) and the logging problem for service host went away and never came back. I don't know if this causes a security concern...
.......
If this info is not germane to the present discussion, please disregard and continue with this excellent and educational thread.....

Regards,
Oldshep <-QUOTE}

Hello OldShep, I remember you!:thumb: :

I also recall the loopback adapter point so this is question of security Stem will address when he has time.

One thing we have said the router is a key piece of the security layer, therefore I have it as Internet not trusted. Stem has not said to me as the "learner" here put it as trusted, so I haven't.

I think your post is relevant but all posts are for Stem to review and then advise, then and only then do I change a setting.

I did have to put 255.255..... in as trusted this AM to get an address.

If I really wanted to just stop the alerts and blocks I know several ways in ZA Pro I could accomplish it, but the point is to set optimum settings not those that are.... how to say this.... workarounds or methods that get rid off messages but lower the security of my PC and by extension others reading the thread!

OK, I didn't realize you guys were specifically trying to keep the router in the internet zone. I will look forward to Stem's comments on the security ramifications of putting the router (and loopback adapters) in the trusted zone. And I will contiue to read all further comments in this excellent thread.

Oldshep

@fax,

It seemed to me at the time that adding only the router address (instead of the entire Lan) was more secure. My router has a wireless connection, so if I added the entire Lan and someone cracked the wireless encryption, they could get access to my PC (?). Cracking the wireless encryption would not be trivial but if I wasn't a bit of a paranoid about stuff like that, I probably wouldn't spend so much time on these forums;D

Oldshep

{QUOTE-> If I really wanted to just stop the alerts and blocks I know several ways in ZA Pro I could accomplish it, but the point is to set optimum settings not those that are.... how to say this.... workarounds or methods that get rid off messages but lower the security of my PC and by extension others reading the thread! <-QUOTE}

Just to avoid panic on other ZA users and users of firewall in general. Adding your router to the trusted zone will not lower your security.

If we define security, the package of measures you are using for protecting your computer from an external thread, you are absolutely safe. Bet anyone to get into your system with such a setting without the direct interaction with the machine or exploiting a flaw or weak setting of the router. This has been experimented before in the community.

Ve