Discussion in 'other firewalls' started by Paul Wilders, Sep 28, 2002.
Please post comments in regard to this thread over here, to avoid pollution.
Thanks in advance!
Great tutorial, however, I don't have a standard OE setup. Outlook Express is set up to poll for email on two ISP's (one using SSL protocal), Hotmail, and "MyRealBox." To add to the mess, I have newsgroups set up through the SSL protocal and others (such as GRC and microsoft).
I have been able to restrict the ports that OE can access, but OE I can't poll "everything" without OE accessing the internet.
One of these days, I'll try to configure it as you described, but not today.
Great Contribution LowWaterMark.
I will be bookmarking that one.
very good post !!
LWM, you've earned yourself a Karma Cookie!
Er...I'll have to owe you one, since you haven't made one hundred posts yet...
HeHeHe. I did it. Outlook Express does not access the internet anymore.
That's great. I really like to see programs limited to using just what is absolutely necessary in order to run. (A kind of "least privilege" thing.) It's a reason why I also run a sandbox application on my system (Tiny Trojan Trap).
Another thing I'm trying out is I've made a second copy of Internet Explorer on my system. (I use IE as my default browser.) Then, in ZA Plus, I've restricted the original copy of IE (iexplorer.exe) to having only Trusted Zone access and a limited set of ports and protocols. (Specifically it gets DNS; HTTP-80, 443 & 8080; and UDP 1024-5000.)
If any malicious program fires up a default IE session, it ends up with very limited network access. Meanwhile, another version of IE, under a different name, gets more open access in ZA+, so that I can actually surf. It's been an interesting experiment, so far.
I don't think Win98SE is going to let me have another copy of IE.
I'm going to work on other programs next, such as the various "auto update" programs for AV, AT, spy checkers, etc.
I am using W98SE with Outlook Express 6. I tried to configure as you recommended:
1. Allow access only for :
DNS servers (TCP and UDP 53)
Mail servers POP (TCP port 110)
Mail servers SMTP (TCP port 25)
New servers (TCP port 119)
2. Put the mail server pop.freesbee.fr in the Trusted zone
3. Block Internet access to OE.
Each time Windows is restarted, OE displays the error message (translation) :
"Impossible to find the host pop.freesbee.fr. Verify that you have correctly entered the server name. Account : 'Mail of ...', Server : 'pop.freesbee.fr', Protocole : POP3, Port : 110, Secure (SSL) : No, socket error : 11001, Error number : 0x800CCC0D"
If I allow Internet access, then OE is ok. Then I block Internet access again and OE remains ok !
Do you see something wrong ?
Can you clarify this for me a bit? When you state: "Each time Windows is restarted, OE displays the error message..." do you literally mean that during or at the end of booting up, this OE error message pops up? Or do you simply mean that the first time you run OE after a boot, whether a minute after booting or hours later, you get this error?
It is an important distinction because the first case implies that OE is running in the boot process, and perhaps it's attempting to get out before ZA is ready to allow it. Basically, a timing issue. The second case could show a very different problem. If ZA does not handle an access right the first time you do something to trigger it, but, after making an adjustment, running it, and setting ZA back, it works correctly from then on, that could show that your ZA true vector database might have an inconsistency and need rebuilding.
The error occurs when I start manually OE, generally a few minutes after booting. The error also occurs the first time OE sends a message.
How to rebuild the ZA true vector database please ?
If you need to refresh (rebuild) the ZA True Vector database because it is not saving settings or because it appears to "get confused" with settings, then you can follow the instructions at this page (item #10):
But, be aware that the True Vector database stores all of Zone Alarm's custom settings. All the trusted sites, the program permissions, the specific firewall block and allow settings, everything. You'll need to redo these after refreshing the database. Once you've done it a few times, it's not hard, but, make sure you know what settings you've made before you wipe out the database. When they are gone, they are gone.
It may not fix your problem, but, it's one of the first recommendatioms whenever ZA starts acting oddly, such as how you described. Read the link over and if you have questions, ask them here before trying it.
Edit - typos
I'll read the instructions carefully. Thanks.
The problem has not been fixed after the True Vector database is rebuilt according to their procedure
The positive point is that now I know when and how to rebuild the database
Well this is the very first thing I did when I installed Zone Alarm Pro.
I setup everything manually.
Anywhere from Icq to kazza lite.
ps: i checked to see if we had the same settings...yeap...
Yinda, what other hosts / servers are in your Trusted Zone, as seen in the ZA > Firewall > Zones screen? Do you have your ISP's DNS servers in the Trusted Zone? If not, you will need to add them. Since OE will only be able to access Trusted hosts in this configuration, the DNS servers must be in the ZA Trusted Zone. (I'll have to edit the original config post to reflect this.)
Let me know if this fixes it.
I added 3 Hosts/Sites in the Trusted zone myself : pop.freesbee.fr, pop.wanadoo.fr and smtp.wanadoo.fr (freesbee is my usual mail server, wanadoo is my ISP)
The IP Address / Site 126.96.36.199/255.0.0.0 has been added by ZA as Network (I would not know how to specify the address myself)
Is that correct ?
PS. The name of Network added by ZA in the Trusted zone is Wanadoo.
It's sounds like you have your email servers covered well, but, you need to add your two DNS servers to the ZA Trusted Zone. You don't add those by name, (since DNS servers are needed to resolve names), you add them by address or range. I can not say that the "network" that was added covers your DNS, usually it doesn't, and most times the "networks" are added as "internet" zone not "trusted", for security reasons.
Do you know the IP addresses of your ISP's DNS servers? You can just look on your system when you are connected and it'll tell you your current DNS servers. If you are on NT/2K/XP, go to a CMD window (Start menu > Run... > CMD) and type: ipconfig /all
- It will list DNS servers there.
If you are on Windows 9x or ME - goto Start menu > Run... > winipcfg
- In that screen, hit the "More Info>>" button and look for DNS servers line and notice there is a little box next to it with a "..." - you hit that to see other DNS server(s).
Add these as separate trusted addresses into ZA and try OE again.
I have just added the two DNS servers as you told me and OE works fine now. THANKS !!!
I have also switched Wanadoo from Trusted into Internet Zone.
Very good. This way your PC won't be "trusting" all the other users on your ISP. I'm really glad this worked for you. I'll be updating the other thread to make note of this. Thanks for helping to make it better!!
you the man
some one get that man a beer and some chetoes cause it was all that and very new frindly
Hey I have oone suggeston ...
Maybe you could also write some similar tutorial how to set permittions for Internet Explorer (for normal browsing). I am a little confused which ports to allow. I have some difficulties setting permittions for Internet Explorer.
I noticed, that giving permittion for TCP protocol isn't enough. It require UDP on lots of ocassions.
So I made rules (in the end it looks like ...):
Allow/Block Source Destination Protocol Port Time
Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP http(80), https (443), DNS (53) Any
Rank 2: Block Any Any Any Any Any
... but after making this rule, I can't browse any web page. The strange thing is, that I get alert message saying that "The firewall rules for Internet Explorer allow an outgoing UDP connection to this and this IP, this and this port". And right that alert, web page I was going to visit, becomes "Server was not found". But strange, there is NO Block alert. So something must be blocked "silently" ...
Right after changing the "first rank" rule, under "Modify - Protocol - Ports" to allow any port (in the end it looks like ...):
Allow/Block Source Destination Protocol Port Time
Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP Any Any
Rank 2: Block Any Any Any Any Any
... everything works normal again !!!
thanks for any help people
I thought about providing a configuration for Internet Explorer, but it's rather more complicated for people than Outlook Express simply because IE is IE, the "everything" program from Microsoft. It does too much and everyone uses it a little differently.
But, let's look at a simple set of IE rules, from a generic firewall perspective...
[pre]Access Type Source Destination Description
Allow UDP MyComputer:Any DNSservers:53 DNS
Allow TCP MyComputer:1024-5000 InternetZone:WebPorts Webservers
Allow UDP MyComputer:1024-5000 MyComputer:1024-5000 Loopback
Block Any Any Any Block the rest[/pre]DNSservers is a Group setup in Firewall panel > Expert tab > Groups button. It is simply a list of all my ISP's DNS server (added by hard-coded IP address). My ISP provides 4 DNS servers.
WebPorts is another defined group except this one is a protocol group not a locations group. In there I have TCP ports: 80, 443, 8000 and 8080.
Now this generic setup when entered as ZAP expert rules applied to Internet Explorer works on my system for basic browsing. In fact, I use a version of this that targets (destination) just the webservers of my Trusted Zone, rather than the Internet Zone as shown above. By doing that, I can browse trusted webservers and even if there are images, web bugs or other things on the webpages I'm viewing, I only end up accessing the trusted sites. All else is blocked.
There are times when I want this, for example, I use such a browser configuration when reading my ISP provided web-based email with IE. It ensures I don't fire off any webbugs out somewhere on the Internet, and blocks any other object sources not in the trusted zone.
However, the downside of the IE configuration described above is that it is restrictive. For example, normally IE can do FTP access directly. These rules prevent that because there are no FTP ports being allowed here. I'm sure there are other protocols that IE can run embedded that these rules would also prevent. But for me and what I use this for, it works great.
In any case, I rarely advise people to do this because it takes some effort on their part to figure out exactly what they need, in their specific circumstances.
I was having some problems configuring IE to connect www. last few days, so I am posting this topic a little late.
I noticed three important things.
1.) Outlook Express in order to get/send e-mails with my HOTMAIL account, require (in my case) also two outgoing connections:
Destination: go.msn.com = 188.8.131.52
I added that IP in Expert Rules ...
HOTMAIL account, require also various other hosts from IP Range: dav.bay0.hotmail.com = 184.108.40.206 - 220.127.116.11
2.) Then, I constantly get this error message:
Protocol: HTTPmail (as it says in Otrlook error screen)
Port: Port: 0 Secure (SSL)
- don't know, how to "fix" that. In some other similar "Client Host" error message for my ISP account (on another, smtp port), it says that Secure (SSL) is Port: 25
3.) Internet Explorer in order to browse, sometimes require (in my case) this connection:
It is strange, cause I made rule to allow outgoing UDP connections to My Computer (LowWaterMark - Loopback Rule)
Do I need to grant this one also ??
Thank you all for your friendly effort
Separate names with a comma.