"Trusted zone" vs internet access

Discussion in 'other firewalls' started by himynamaborat, Jul 25, 2009.

Thread Status:
Not open for further replies.
  1. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26
    I currently use ZoneAlarm, and I find it useful when you can allow a program access to the trusted zone while not allowing general internet access.

    For instance, when you want to use a proxy with Firefox, you can allow Firefox to access the trusted zone, which basically allows it access to localhost/127.0.0.1. Many times, even when I set Firefox to only access localhost, a plugin will attempt to access the internet and bypass my proxy.

    ZoneAlarm is the only firewall I've tried that will block the plugin and maintain access through my proxy. I would like to use other firewalls, but it's always been a deal-breaker when I haven't been able to configure them to differentiate between localhost and direct internet access.

    Any suggestions on how to do this with other firewalls?

    I know everyone here goes by the highest percentage of leak tests that a firewall passes. :D So, I was hoping to figure out how to do this with Online Armor.

    Thanks

    p.s. Let me add a few details. A few weeks ago I tried a few of the top rated firewalls on Matousec. I don't remember the specifics of the problems I had with each one, but, suffice it to say, I couldn't get any of them to replicate the experience I've had with ZA. Not to say that it couldn't be done with some tweaking, but I didn't have success with my initial tests.

    With ZA, I generally don't grant any program automatic access to the trusted or internet zone. I always decide every time I open the program. Sometimes I use a browser with direct internet and sometimes I want to route it through a proxy (e.g. proxomitron, tor, etc.). But Firefox doesn't always cooperate. In fact, if I surf long enough, almost undoubtedly, ZA will alert me that Firefox is trying to access the internet, even when I specificall tell it to use the localhost.

    Now to what I recall from the other firewalls (I've forgotten a lot of the details). I had trouble getting any other firewall to ask me EVERY time I open a browser if I want to grant localhost access then if I want to grant internet access. I recall some firewalls having several popups asking me if I want to allow this or allow that. Then when I grant access, some firewalls seem to choose not to ask me the same questions the next time I open the program. Basically I want just one (and only one) popup when I open a program asking about localhost access. Then one (and only one) popup asking about direct internet access. A lot of firewalls seemed to give me around 10 popups when I open a browser, and then seemed to remember my choices and not ask me the same questions the next time I open the same browser.

    The reason for this is that sometimes I use Firefox with direct internet access, then I want to switch to some proxy later on. With ZA, I just close the browser and reopen it. Then I grant localhost access and deny direct internet access. Invariably, ZA will catch Firefox attempting to access the internet and save my butt.

    Maybe I'm doing all of this wrong, and there's something obvious I'm missing. But I don't see how you can use proxies with firewalls that don't easily allow you to differentiate between localhost and internet access. From my experience, browsers and other programs in general can't be trusted to follow your instructions.
     
    Last edited: Jul 25, 2009
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi, well someone who's on the same wavelength !

    I'm seriously thinking of trying Outpost, after a number of recent good opinions from members on here. But one of the things i like about ZA is being able to selectively allow/dissallow the trusted zone and/or internet zone for every App.

    I don't give any browser automatic access, or many other Apps either. The version i've been using for several years is 5.5.062.000. I've used later versions like v8 on a Vista PC, but it wants to phone home every day ? and it seems there's no way to block it, though i've tried. Nothing wrong with v5, but i felt like experimenting, as the reviews on Matsousec were excellent.

    Now if Outpost can offer the same functions as above, and more, is easy to configure, then it might be a green light. I know Outpost beats ZA on those tests, but in the past i've thrown every know leak test at ZA and i think only one or two got through.

    So if anyone else can offer some words of wisdom, then i'm all ears too.
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    The free version of OA has intercept loopback interface, I will copy and paste OA's description, as I can't explain it any better :p

    "Intercept Loopback interface – Some programs that filter internet content (such as some ad-blockers, antivirus software, and spam filters) operate as a proxy server which your internet software is then configured to connect to in order to connect to the internet. This connection is created using the “loopback interface.” Since most loopback connections are harmless system functions this interface is not usually monitored, however if you are running a proxy that is already allowed to access the internet, malicious software could potentially use this software to connect to the internet without the Firewall alerting you. This option allows you to change whether Online Armor will pop-up when the loopback interface is used. This option is disabled by default."

    The free version has loopback, but it doesn't allow you to set up endpoint restrictions for individual applications. The paid version will allow you to set endpoint restrictions "127.0.0.1" for individual applications.

    -------------------------------------------------​

    I thought Zonealarm fixed the "phoning home" gripe. Last I knew they admitted it was an "error" :doubt: which was to be fixed.
     
  4. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Outpost has allowed control over the loopback interface for a long time. The linked thread shows an example of this control.
    Setting up Tor/Proxomitron+SocksCap (How to)
     
  5. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26
    I've been using ZA for several years, and it's always had one glaring weakness, in my opinion. When a browser is open, and you've granted it internet access, any program can use that open browser to access the internet. As far as I know, you won't get any warning. It's been like that for all the years I've been using it. I've installed numerous pieces of legitimate software that have been able to access whatever site they want when Firefox is already open. Of course, I'd be alerted if Firefox were closed, but I consider this an unacceptable flaw.

    Perhaps it's been fixed in the more recent versions, but I don't know which.
     
  6. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26

    I read through the thread. I have no experience setting up rules, but it doesn't seem too hard. But my question is, how easy is it to change from one set of rules to another set? Let's say I want Firefox (or Proxomitron) to access the internet directly for a while. Then I want to switch to using a proxy. Can I do that easily or do I have to manually re-enter new rules every time I want to change something? I need to be able to switch from one set of rules to another relatively easily.

    For instance, it's trivial to change the rules for Proxomitron. You just create a CFG file for every set of rules you want, then drag and drop the one you want. ZA has always been easy to adapt every time I load a new CFG file with Proxomitron. I just close and re-open Proxomitron, and ZA will ask me again what kind of access I want to grant to Proxomitron.

    In order for this to work with Outpost, I would need to be able to change the rules rapidly without having to manually re-enter them every time.
     
    Last edited: Jul 25, 2009
  7. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    There are a couple ways to do this but not as easily as drag and drop.

    You can:

    1. Easily turn off any rules for any application by simply unticking them. So depending on how many rules you are talking about this could be just a matter of ticking and unticking a few boxes.

    2. You can make up alternate configurations. Once set up, all you do is import the configuration you want. A configuration includes all the application rules and your settings. This is the quickest approach but may take a little longer to setup depending on exactly what you want to do.

    Bear in mind that ZA and Outpost are rather different and it will take a while to get used to it so you may want to postpone tricky things like this until your are familiar with how it works.
     
  8. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26

    Okay, I'll look into this when I get a chance to remove my existing firewall and install a new one (within a few days).



    I'll try this strategy as well within the next few days.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Not in any recent (7, 8 and 9) retail version. Probably a limit of the free version? Never used it. :)

    Fax
     
  10. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26

    I've never used the free version. Perhaps it was versions earlier than 7. I don't recall the last time it happened, but I'm almost certain ver. 5.5 is affected by this.

    I'm not trying to say ZA is bad software with this thread. In fact, I still think it's very good. I really like its simplicity and the whole concept of trusted/internet zones. I would just like to have options other than ZA in the future.

    I'm just curious as to what other people do when they want to do quick changes of the permissions they grant a program. Certainly, you and I are not the only ones that like to switch between direct internet and a proxy (sometimes many different proxies for different situations) for a program. Since the program itself can't be trusted to do what you say, then it seems to me a software firewall is the last line of defense in limiting what a program can access. In fact, if someone is just relying on Firefox (or another browser) to access a proxy such as Tor, they should probably know that those network settings are basically just a loose suggestion to most browsers. Unless a modified browser is used (including removing most/all plugins), don't count on the browser to do what you ask it to do.

    So, I consider it a must to be able to rapidly change the rules in a software firewall without having to manually enter the data every time. It should be relatively simple to do because I often like to change it multiple times a day.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    IMO ZA is still the easiest, may be because I am used to it... tried Comodo, OA and Outpost. They are all very good or leaktest champions but not as user friendly as ZA. If you are concerned by leaktest note that latest ZA is much better. ZA 9 will be even better. ZA marketing has finally realised that leaktests (altought largely useless) are a powerful marketing tool. :)

    Fax
     
Loading...
Thread Status:
Not open for further replies.