Zone Alarm Plus/Pro Program Options: comments

Discussion in 'other firewalls' started by Paul Wilders, Sep 28, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Please post comments in regard to this thread over here, to avoid pollution.

    Thanks in advance! ;)

    paul
     
  2. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    LWM,

    Great tutorial, however, I don't have a standard OE setup. Outlook Express is set up to poll for email on two ISP's (one using SSL protocal), Hotmail, and "MyRealBox." To add to the mess, I have newsgroups set up through the SSL protocal and others (such as GRC and microsoft).

    I have been able to restrict the ports that OE can access, but OE I can't poll "everything" without OE accessing the internet.

    One of these days, I'll try to configure it as you described, but not today. :D :D :D
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Great Contribution LowWaterMark.

    I will be bookmarking that one.

    Thank you,

    John
     
  4. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    LowWaterMark,
    very good post !!

    bill :)
     
  5. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    LWM, you've earned yourself a Karma Cookie!

    Er...I'll have to owe you one, since you haven't made one hundred posts yet...
     
  6. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    HeHeHe. I did it. Outlook Express does not access the internet anymore.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    That's great. I really like to see programs limited to using just what is absolutely necessary in order to run. (A kind of "least privilege" thing.) It's a reason why I also run a sandbox application on my system (Tiny Trojan Trap).

    Another thing I'm trying out is I've made a second copy of Internet Explorer on my system. (I use IE as my default browser.) Then, in ZA Plus, I've restricted the original copy of IE (iexplorer.exe) to having only Trusted Zone access and a limited set of ports and protocols. (Specifically it gets DNS; HTTP-80, 443 & 8080; and UDP 1024-5000.)

    If any malicious program fires up a default IE session, it ends up with very limited network access. Meanwhile, another version of IE, under a different name, gets more open access in ZA+, so that I can actually surf. ;) It's been an interesting experiment, so far.
     
  8. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I don't think Win98SE is going to let me have another copy of IE.

    I'm going to work on other programs next, such as the various "auto update" programs for AV, AT, spy checkers, etc.
     
  9. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi LowWaterMark,

    I am using W98SE with Outlook Express 6. I tried to configure as you recommended:

    1. Allow access only for :
    DNS servers (TCP and UDP 53)
    Mail servers POP (TCP port 110)
    Mail servers SMTP (TCP port 25)
    New servers (TCP port 119)

    2. Put the mail server pop.freesbee.fr in the Trusted zone

    3. Block Internet access to OE.

    Each time Windows is restarted, OE displays the error message (translation) :
    "Impossible to find the host pop.freesbee.fr. Verify that you have correctly entered the server name. Account : 'Mail of ...', Server : 'pop.freesbee.fr', Protocole : POP3, Port : 110, Secure (SSL) : No, socket error : 11001, Error number : 0x800CCC0D"

    If I allow Internet access, then OE is ok. Then I block Internet access again and OE remains ok !

    Do you see something wrong ?

    Regards,

    Yinda
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Hi Yinda,

    Can you clarify this for me a bit? When you state: "Each time Windows is restarted, OE displays the error message..." do you literally mean that during or at the end of booting up, this OE error message pops up? Or do you simply mean that the first time you run OE after a boot, whether a minute after booting or hours later, you get this error?

    It is an important distinction because the first case implies that OE is running in the boot process, and perhaps it's attempting to get out before ZA is ready to allow it. Basically, a timing issue. The second case could show a very different problem. If ZA does not handle an access right the first time you do something to trigger it, but, after making an adjustment, running it, and setting ZA back, it works correctly from then on, that could show that your ZA true vector database might have an inconsistency and need rebuilding.
     
  11. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi LWM,

    The error occurs when I start manually OE, generally a few minutes after booting. The error also occurs the first time OE sends a message.

    How to rebuild the ZA true vector database please ?

    Regards,

    Yinda
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    If you need to refresh (rebuild) the ZA True Vector database because it is not saving settings or because it appears to "get confused" with settings, then you can follow the instructions at this page (item #10):

    http://www.zonelabs.com/store/content/support/zapIssuesFAQ.jsp#10issues

    But, be aware that the True Vector database stores all of Zone Alarm's custom settings. All the trusted sites, the program permissions, the specific firewall block and allow settings, everything. You'll need to redo these after refreshing the database. Once you've done it a few times, it's not hard, but, make sure you know what settings you've made before you wipe out the database. When they are gone, they are gone.

    It may not fix your problem, but, it's one of the first recommendatioms whenever ZA starts acting oddly, such as how you described. Read the link over and if you have questions, ask them here before trying it.

    Edit - typos
     
  13. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Ok LWM,

    I'll read the instructions carefully. Thanks.

    Yinda
     
  14. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    The problem has not been fixed after the True Vector database is rebuilt according to their procedure :(
    The positive point is that now I know when and how to rebuild the database :)
    Yinda
     
  15. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    Well this is the very first thing I did when I installed Zone Alarm Pro.

    I setup everything manually.

    Anywhere from Icq to kazza lite. :)

    thanks anyways,
    will

    ps: i checked to see if we had the same settings...yeap...:)
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Yinda, what other hosts / servers are in your Trusted Zone, as seen in the ZA > Firewall > Zones screen? Do you have your ISP's DNS servers in the Trusted Zone? If not, you will need to add them. Since OE will only be able to access Trusted hosts in this configuration, the DNS servers must be in the ZA Trusted Zone. (I'll have to edit the original config post to reflect this.)

    Let me know if this fixes it.

    Thanks,
    LowWaterMark
     
  17. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi LWM,

    I added 3 Hosts/Sites in the Trusted zone myself : pop.freesbee.fr, pop.wanadoo.fr and smtp.wanadoo.fr (freesbee is my usual mail server, wanadoo is my ISP)

    The IP Address / Site 80.0.0.0/255.0.0.0 has been added by ZA as Network (I would not know how to specify the address myself)

    Is that correct ?

    Regards,

    Yinda
     
  18. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    PS. The name of Network added by ZA in the Trusted zone is Wanadoo.
    Yinda
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Yinda,

    It's sounds like you have your email servers covered well, but, you need to add your two DNS servers to the ZA Trusted Zone. You don't add those by name, (since DNS servers are needed to resolve names), you add them by address or range. I can not say that the "network" that was added covers your DNS, usually it doesn't, and most times the "networks" are added as "internet" zone not "trusted", for security reasons.

    Do you know the IP addresses of your ISP's DNS servers? You can just look on your system when you are connected and it'll tell you your current DNS servers. If you are on NT/2K/XP, go to a CMD window (Start menu > Run... > CMD) and type: ipconfig /all
    - It will list DNS servers there.

    If you are on Windows 9x or ME - goto Start menu > Run... > winipcfg
    - In that screen, hit the "More Info>>" button and look for DNS servers line and notice there is a little box next to it with a "..." - you hit that to see other DNS server(s).

    Add these as separate trusted addresses into ZA and try OE again.
     
  20. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi LWM,

    I have just added the two DNS servers as you told me and OE works fine now. THANKS !!!

    I have also switched Wanadoo from Trusted into Internet Zone.

    Regards,

    Yinda
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Very good. This way your PC won't be "trusting" all the other users on your ISP. I'm really glad this worked for you. I'll be updating the other thread to make note of this. Thanks for helping to make it better!! :)

    Best Wishes,
    LowWaterMark
     
  22. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :cool: you the man

    :D some one get that man a beer and some chetoes cause it was all that and very new frindly
     
  23. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Hey I have oone suggeston ...



    Maybe you could also write some similar tutorial how to set permittions for Internet Explorer (for normal browsing). I am a little confused which ports to allow. I have some difficulties setting permittions for Internet Explorer.

    I noticed, that giving permittion for TCP protocol isn't enough. It require UDP on lots of ocassions.

    So I made rules (in the end it looks like ...):

    Allow/Block Source Destination Protocol Port Time
    Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP http(80), https (443), DNS (53) Any
    Rank 2: Block Any Any Any Any Any

    ... but after making this rule, I can't browse any web page. The strange thing is, that I get alert message saying that "The firewall rules for Internet Explorer allow an outgoing UDP connection to this and this IP, this and this port". And right that alert, web page I was going to visit, becomes "Server was not found". But strange, there is NO Block alert. So something must be blocked "silently" ...

    Right after changing the "first rank" rule, under "Modify - Protocol - Ports" to allow any port (in the end it looks like ...):


    Allow/Block Source Destination Protocol Port Time
    Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP Any Any
    Rank 2: Block Any Any Any Any Any


    ... everything works normal again !!!



    thanks for any help people
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    I thought about providing a configuration for Internet Explorer, but it's rather more complicated for people than Outlook Express simply because IE is IE, the "everything" program from Microsoft. It does too much and everyone uses it a little differently.

    But, let's look at a simple set of IE rules, from a generic firewall perspective...

    [pre]Access Type Source Destination Description
    Allow UDP MyComputer:Any DNSservers:53 DNS
    Allow TCP MyComputer:1024-5000 InternetZone:WebPorts Webservers
    Allow UDP MyComputer:1024-5000 MyComputer:1024-5000 Loopback
    Block Any Any Any Block the rest
    [/pre]DNSservers is a Group setup in Firewall panel > Expert tab > Groups button. It is simply a list of all my ISP's DNS server (added by hard-coded IP address). My ISP provides 4 DNS servers.

    WebPorts is another defined group except this one is a protocol group not a locations group. In there I have TCP ports: 80, 443, 8000 and 8080.

    Now this generic setup when entered as ZAP expert rules applied to Internet Explorer works on my system for basic browsing. In fact, I use a version of this that targets (destination) just the webservers of my Trusted Zone, rather than the Internet Zone as shown above. By doing that, I can browse trusted webservers and even if there are images, web bugs or other things on the webpages I'm viewing, I only end up accessing the trusted sites. All else is blocked.

    There are times when I want this, for example, I use such a browser configuration when reading my ISP provided web-based email with IE. It ensures I don't fire off any webbugs out somewhere on the Internet, and blocks any other object sources not in the trusted zone.

    However, the downside of the IE configuration described above is that it is restrictive. For example, normally IE can do FTP access directly. These rules prevent that because there are no FTP ports being allowed here. I'm sure there are other protocols that IE can run embedded that these rules would also prevent. But for me and what I use this for, it works great.

    In any case, I rarely advise people to do this because it takes some effort on their part to figure out exactly what they need, in their specific circumstances.
     
  25. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Hi ...

    I was having some problems configuring IE to connect www. last few days, so I am posting this topic a little late.

    I noticed three important things.


    1.) Outlook Express in order to get/send e-mails with my HOTMAIL account, require (in my case) also two outgoing connections:

    Protocol: TCP
    Destination: go.msn.com = 207.68.172.249
    Port: HTTP(80)

    I added that IP in Expert Rules ...


    HOTMAIL account, require also various other hosts from IP Range: dav.bay0.hotmail.com = 64.4.0.0 - 64.4.63.255



    2.) Then, I constantly get this error message:

    Protocol: HTTPmail (as it says in Otrlook error screen)
    Destination: Unknown
    Port: Port: 0 Secure (SSL)

    - don't know, how to "fix" that. In some other similar "Client Host" error message for my ISP account (on another, smtp port), it says that Secure (SSL) is Port: 25



    3.) Internet Explorer in order to browse, sometimes require (in my case) this connection:

    Protocol: UDP
    Destination: 127.0.0.1
    Port: 3320

    It is strange, cause I made rule to allow outgoing UDP connections to My Computer (LowWaterMark - Loopback Rule)

    Do I need to grant this one also ??



    Thank you all for your friendly effort
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.