Router Firewall

Here goes nothin ..

Have a LAN media server that does not require any access to the outside world. Have set my D-Link router (DIR-825) through "access control" to block all outside traffic.

Problem - Itunes Home Share. Turns out that Itunes needs to communicate to the Itunes store for ceratin DRM purchases. How would I go about making this acception ? I cant just block every port except for itunes store can I ? I'm I destined to be forced to have a LAN server access to the internet just becuase of itunes

Please help. Thank you.

 

First, Welcome to Wilders Security Forums johnsonman

I read the User Manual for your D-Link router (DIR-825), that is an very nice Router.
From what I read and understand, the Access Control is an all or nothing thing, meaning, one can either block or
allow but not be selective by allowing one thing while blocking another. Maybe it is possible but appears complex.

So here is what I suggest:
Remove any blocks and/or allows from the Router in regards to iTuns Home Share.
On the LAN Media Server Install ZoneAlarm Free Firewall. The reason I suggest the ZoneAlarm Free Firewall is
because the firewall exists an feature called 'Internet Lock'. When Internet Lock is engaged only traffic initiated
by programs by which you have given 'Pass Lock Permission' are allowed. All other traffic to and from the computer
is stopped, blocked.

You will need to allow the following 'Pass Lock Permissions' (these are the ones that I am aware of)

UDP OUT on Port 53 for DNS (domain name service)
UDP OUT on Port 123 for Time (time is critical on networked computers)

For Home Sharing to communicate with shared iTunes libraries:
TCP OUT on Port 3689
UDP OUT on Port 5353

iTunes must be allowed to contact Apple using the following ports and servers:
TCP OUT on Port 80 (http)
TCP OUT on Port 443 (https) to
phobos.apple.com, deimos3.apple.com, albert.apple.com, gs.apple.com, itunes.apple.com, ax.itunes.apple.com

NOTE: The above may not be complete or correct


However, there is an more thorough and safe approach.
The simplest way to create these Firewall Rules would be to run iTunes Home Share and create the Rules as you
are Prompted by the Firewall and/or ideally, and preferred, allow the ZoneAlarm Firewall to Automatically Create
All The Firewall Rules then assign 'Pass Lock Permissions' to:
svchost.exe for DNS
svchost.exe for time
all the rules created for Itunes Home Share
(now all other communications will then be blocked as long as 'Internet Lock' is Engaged)

Suggestion: Configure the Internet Lock to "Lock when screensaver activates" and configure an short screensaver
delay such as one to three minutes.

Also place your Home Network in the 'Trusted Zone' to allow 'File and Printer Sharing' only within your Home Network
with the LAN Media Server.

NOTE: You may want to send an Personal Message (PM) to user 'fax' here on the Wilders Security Forum for more
insight as 'fax' is very knowledgeable about ZoneAlarm and is an "Guru" on the ZoneAlarm Forum.


References, Downloades, Manuals:

Troubleshooting Home Sharing:
http://support.apple.com/kb/TS2972

iTunes: Troubleshooting security software issues:
http://support.apple.com/kb/TS3125

Download ZoneAlarm Free Firewall:
http://download.zonealarm.com/bin/free/information/znalm/zaReleaseHistory.html

Download ZoneAlarm Free Firewall User Guide PDF:
http://download.zonealarm.com/bin/media/pdf/zaclient91_user_manual.pdf


please print me

EDIT: completeness


HKEY1952

 

Please note that you will need to use ZAfree version 9 to be able to use the internet lock feature.

Thank you HKEY1952 for the kind words but I am not really experienced with these sort of setups, never used internet lock myself.

Cheers,
Fax

 

Thanks for the reply, I am aware of zone alarms software lock. I still prefere a hardware firewall. To bad zone alarm doesn't design routers. I'm just going to remove the rule when I want to add video, I can do it pretty fast through my iPhone. Thank you for taking the time and effort to look over the manual , you are right the block feature is either on or off, or you can choose from ten or so slots of your choice of ranged ports to block , along with ip addresses for blocking websites etc. To bad the block feature doesnt have application rules / exceptions.

 

You are welcome johnsonman

ZoneAlarm, Owned by Check Point, does in fact provide an Wireless Router, the Z100g Wireless Router.

The ZoneAlarm Secure Wireless Router Z100g by Check Point Offers Enterprise Level Protection for Home Wireless Networks.
With this Router you could do exactely what you are currently attempting to do with your D-Link router, and more.
The Z100g also exists Antivirus Scanning at the Networks Edge. The Z100g requires an Subscription to Services in
order to fully provide Network Security and is not for the faint of heart. Knowledge of Networking is required to
fully appreciate and administer this router. All security levels are controlled, enforced, and deployed at the
Networks Edge as security should be for an Network.

You could learn to administrate it!

ZoneAlarm Secure Wireless Router Z100g New Version 8.0 by Check Point:
http://www.checkpoint.com/press/2009/zonealarm-wireless-z100g-020909.html

Getting Started Guide:
http://download.zonealarm.com/bin/media/pdf/gettingStarted_z100g.pdf

User Guide:
http://download.zonealarm.com/bin/media/pdf/ZoneAlarm_UserGuide.pdf


HKEY1952