Router Firewall

Discussion in 'other firewalls' started by johnsonman, Nov 17, 2011.

Thread Status:
Not open for further replies.
  1. johnsonman

    johnsonman Registered Member

    Nov 17, 2011
    Here goes nothin ..

    Have a LAN media server that does not require any access to the outside world. Have set my D-Link router (DIR-825) through "access control" to block all outside traffic.

    Problem - Itunes Home Share. Turns out that Itunes needs to communicate to the Itunes store for ceratin DRM purchases. How would I go about making this acception ? I cant just block every port except for itunes store can I ? I'm I destined to be forced to have a LAN server access to the internet just becuase of ituneso_O

    Please help. Thank you.
  2. HKEY1952

    HKEY1952 Registered Member

    Jul 22, 2009
    HKEY/SECURITY/ (value not set)
    First, Welcome to Wilders Security Forums johnsonman

    I read the User Manual for your D-Link router (DIR-825), that is an very nice Router.
    From what I read and understand, the Access Control is an all or nothing thing, meaning, one can either block or
    allow but not be selective by allowing one thing while blocking another. Maybe it is possible but appears complex.

    So here is what I suggest:
    Remove any blocks and/or allows from the Router in regards to iTuns Home Share.
    On the LAN Media Server Install ZoneAlarm Free Firewall. The reason I suggest the ZoneAlarm Free Firewall is
    because the firewall exists an feature called 'Internet Lock'. When Internet Lock is engaged only traffic initiated
    by programs by which you have given 'Pass Lock Permission' are allowed. All other traffic to and from the computer
    is stopped, blocked.

    You will need to allow the following 'Pass Lock Permissions' (these are the ones that I am aware of)

    UDP OUT on Port 53 for DNS (domain name service)
    UDP OUT on Port 123 for Time (time is critical on networked computers)

    For Home Sharing to communicate with shared iTunes libraries:
    TCP OUT on Port 3689
    UDP OUT on Port 5353

    iTunes must be allowed to contact Apple using the following ports and servers:
    TCP OUT on Port 80 (http)
    TCP OUT on Port 443 (https) to,,,,,

    NOTE: The above may not be complete or correct

    However, there is an more thorough and safe approach.
    The simplest way to create these Firewall Rules would be to run iTunes Home Share and create the Rules as you
    are Prompted by the Firewall and/or ideally, and preferred, allow the ZoneAlarm Firewall to Automatically Create
    All The Firewall Rules then assign 'Pass Lock Permissions' to:
    svchost.exe for DNS
    svchost.exe for time
    all the rules created for Itunes Home Share
    (now all other communications will then be blocked as long as 'Internet Lock' is Engaged)

    Suggestion: Configure the Internet Lock to "Lock when screensaver activates" and configure an short screensaver
    delay such as one to three minutes.

    Also place your Home Network in the 'Trusted Zone' to allow 'File and Printer Sharing' only within your Home Network
    with the LAN Media Server.

    NOTE: You may want to send an Personal Message (PM) to user 'fax' here on the Wilders Security Forum for more
    insight as 'fax' is very knowledgeable about ZoneAlarm and is an "Guru" on the ZoneAlarm Forum.

    References, Downloades, Manuals:

    Troubleshooting Home Sharing:

    iTunes: Troubleshooting security software issues:

    Download ZoneAlarm Free Firewall:

    Download ZoneAlarm Free Firewall User Guide PDF:

    please print me

    EDIT: completeness

    Last edited: Nov 21, 2011
  3. fax

    fax Registered Member

    May 30, 2005
    Please note that you will need to use ZAfree version 9 to be able to use the internet lock feature.

    Thank you HKEY1952 for the kind words but I am not really experienced with these sort of setups, never used internet lock myself. :)

  4. johnsonman

    johnsonman Registered Member

    Nov 17, 2011
    Thanks for the reply, I am aware of zone alarms software lock. I still prefere a hardware firewall. To bad zone alarm doesn't design routers. I'm just going to remove the rule when I want to add video, I can do it pretty fast through my iPhone. Thank you for taking the time and effort to look over the manual , you are right the block feature is either on or off, or you can choose from ten or so slots of your choice of ranged ports to block , along with ip addresses for blocking websites etc. To bad the block feature doesnt have application rules / exceptions.
  5. HKEY1952

    HKEY1952 Registered Member

    Jul 22, 2009
    HKEY/SECURITY/ (value not set)
    You are welcome johnsonman

    ZoneAlarm, Owned by Check Point, does in fact provide an Wireless Router, the Z100g Wireless Router.

    The ZoneAlarm Secure Wireless Router Z100g by Check Point Offers Enterprise Level Protection for Home Wireless Networks.
    With this Router you could do exactely what you are currently attempting to do with your D-Link router, and more.
    The Z100g also exists Antivirus Scanning at the Networks Edge. The Z100g requires an Subscription to Services in
    order to fully provide Network Security and is not for the faint of heart. Knowledge of Networking is required to
    fully appreciate and administer this router. All security levels are controlled, enforced, and deployed at the
    Networks Edge as security should be for an Network.

    You could learn to administrate it!

    ZoneAlarm Secure Wireless Router Z100g New Version 8.0 by Check Point:

    Getting Started Guide:

    User Guide:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.