Transterrestrial Musings  


Amazon Honor System Click Here to Pay

Space
Alan Boyle (MSNBC)
Space Politics (Jeff Foust)
Space Transport News (Clark Lindsey)
NASA Watch
NASA Space Flight
Hobby Space
A Voyage To Arcturus (Jay Manifold)
Dispatches From The Final Frontier (Michael Belfiore)
Personal Spaceflight (Jeff Foust)
Mars Blog
The Flame Trench (Florida Today)
Space Cynic
Rocket Forge (Michael Mealing)
COTS Watch (Michael Mealing)
Curmudgeon's Corner (Mark Whittington)
Selenian Boondocks
Tales of the Heliosphere
Out Of The Cradle
Space For Commerce (Brian Dunbar)
True Anomaly
Kevin Parkin
The Speculist (Phil Bowermaster)
Spacecraft (Chris Hall)
Space Pragmatism (Dan Schrimpsher)
Eternal Golden Braid (Fred Kiesche)
Carried Away (Dan Schmelzer)
Laughing Wolf (C. Blake Powers)
Chair Force Engineer (Air Force Procurement)
Spacearium
Saturn Follies
JesusPhreaks (Scott Bell)
Journoblogs
The Ombudsgod
Cut On The Bias (Susanna Cornett)
Joanne Jacobs


Site designed by


Powered by
Movable Type
Biting Commentary about Infinity, and Beyond!

« Go For Suborbit | Main | I Must Be A "Conservative" »

Firewalling Problem

OK, I think I've found the culprit. Zone Alarm does seem to be blocking UDP between host and client, and I can't figure out how to stop it without completely disabling my Internet firewall. It thinks that the ethernet adaptor for the LAN is to the internet, and it won't allow me to edit or change that. It's the only firewall I have, so I can't take it down.

I may have to upgrade from the free version to Zone Alarm Pro, because while the Help menu says that there's an option for setting it up for ICS, it doesn't seem to display it for the version I have.

[Update a few minutes later]

I finally figured out how to change the zone for the adaptor from "Internet" to "Trusted." My LAN is working properly now, but clients are still not seeing the internet.

[Late afternoon update]

I'm having trouble thinking that it's a Zone Alarm problem at this point, because I'm watching the log, and I've seen no activity on the LAN being blocked, even when I attempt an internet connection from a client.

I can ping the host machine, but I can't ping anything on the internet, either by name or IP.

This is most frustrating.

[Update a couple hours later]

At Ian Woollard's suggestion, I momentarily disabled Zone Alarm, and that was the problem. It seems to work if I reduce the security level for the Internet Zone from "High" to "Medium."

I'm not sure that I can configure it more specifically without getting the full version, though.

Now the question is, do I spend the forty bucks on Zone Alarm Pro, or on a router...?

I'm inclined to the former, because I can buy it on line, and it will be a good belt-suspenders system for when I get a good hardware firewall up.

Posted by Rand Simberg at July 08, 2004 07:10 AM
TrackBack URL for this entry:
http://www.transterrestrial.com/mt-diagnostics.cgi/2627

Listed below are links to weblogs that reference this post from Transterrestrial Musings.
Comments

Lets see for my zone alarm I have the following internet security settings.

High security zone settings
Allows programs and servers with permission to access the internet

Blocks all other traffic except:
Allow outgoing DNS
Allow outoing DHCP
Allow broadcast/mulitcast
Allow incoming ping
Allow other incoming ICMP
Allow incoming UDP ports:67

Posted by Hefty at July 8, 2004 09:49 AM

Which version are you using? Zone Alarm Pro? I'm running the free one, but maybe I'll have to upgrade to get the flexibility and functionality I need.

Posted by Rand Simberg at July 8, 2004 11:12 AM

Hmmmm...if ZA were the problem, wouldn't I be seeing blocked attempts in the log? There's no activity showing on the LAN--just hits from the outside on my internet adaptor.

Posted by Rand Simberg at July 8, 2004 11:17 AM

Just try turning ZA off for a few minute or two. It's very unlikely you'll be infected or attacked in that time.

If you get connectivity, you have atleast isolated the problem. If you don't, you have atleast proved that it isn't that, or isn't only that.

Posted by Ian Woollard at July 8, 2004 02:23 PM

Why not just use the firewall and router that come with XP? All you need is an extra network card in the puter that connects to the internet.On the puter that connects to the internet,right click my network places,click properties,right click the connection to the internet, click properties,click the "advanced" tab, fill in the internet connection sharing and firewall boxes.On the other card,plug it into your hub/switch. plug the rest of your puters into the switch/hub.there you have it.

Posted by curtis kreutzberg at July 8, 2004 04:08 PM

There's lots of good stuff on ZA and ICS here:

http://forum.zonelabs.org/zonelabs/search?q=ICS

It looks rather like you can only use ICS with pro or plus versions of ZA.

See:
http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=10263

There's a description of how to set up ZA:

http://don.hoover.net/index.html

but they appear to be using ZA pro there.

I've recently found that version 5 locks up my XP computer entirely, due to incompatibilities with a perfectly legitimate spam filtering program. and I was forced to drop down to ZA 4.5 which worked fine. So, I'm not entirely happy with ZA, it seems very opaque when it doesn't work.

In your case a message from ZA telling you that they don't recommend using it with ICS and recommending an upgrade would have saved so much hassle, and more likely to land them a sale.

Still, ZA has kept my computers safe for quite a while.

Posted by Ian Woollard at July 8, 2004 05:18 PM

Now I'm no network guru and momma is the local computer hardware type, but our experience here and at our last house were similar to yours and we found that ZA does not play well with XP. We went back to Win 2K and all is well. Of the ZA people and Win Tech Support neither had answers or solutions for our problems. They blamed, and here's the odd part, each other!!

Posted by Steve at July 8, 2004 05:34 PM

Why not just use the firewall and router that come with XP?

Great idea!

If only I had (and wanted) XP...

Posted by Rand Simberg at July 8, 2004 06:34 PM

Oh god, ZA and ICS!!! Arrghhh, I didn't see anything blocked in the logs when I once had the same problem at a client's house last year either.

ZA sux IMHO, don't know what's better, but ZA sux.

Posted by David Mercer at July 8, 2004 11:18 PM

"Why not just use the firewall and router that come with XP?"

Because XP firewall is broken to the bone. It will start up IP stack long before FW becomes active.

I did use cheap D-Link router/firewall for quite long time with no problems whatsoever, it even did dynamic DNS.
But then i needed a large storage server and put an old cheap 300mhz Celeron to the task, with FreeBSD installed. Works very well as a firewall at the same time, complete with Snort and everything.

Posted by kert at July 9, 2004 12:58 AM

Don't use ZoneAlarm - nothing but grief down that road! Before I put a BSD box in front of my Windows machine I used Kerio Personal Firewall (http://www.kerio.com/us/kpf_home.html). That never gave me any trouble with ICS, and it is fully configurable for free - always a plus!

The config is very easy too - basically turn it on, and it will default to blocking everything and asking you what to do when it detects activity. Authorize what you want, block the rest - after 10 minutes or so it will have seen all it needs to build a rule set.

Posted by Dominic at July 9, 2004 02:38 AM

I'd look at something other than ZA Pro. I've been using it for a while and when I rebuild my machine next (sometime this year) I'll be throwing it out.

It's not just connectivity problems but I also find that certain web pages simply refuse to load with it turned on. I've checked with other ZA users and they have the same problems.

Posted by Dave at July 9, 2004 03:05 AM

I'd scrap Zone Alarm. I had the pro version for a month and it completely messed up the computer. I had to hack into the system in order to uninstall it. The darn thing would not recognize my password and I had no net connectivity for a month.

Posted by Dave Allen at July 9, 2004 05:58 AM

From your posts on this subject, you mentioned that you do, in fact, have a router back in California that will eventually be brought on-board in Florida, correct? I don't see the need to spend your money on yet another one to hold your pants up until that router makes it to FL. While I'm no ZA expert, it sounds like most other people here aren't too fond of it, but if you only need to use it for a short time, I would say go with the software solution for now, unless you think that you're going to need another router down the line. More likely, by the time you decide to install another router, Gbe will be more standardized, and you'll be stuck with two 10/100 routers.

Just my $.02 (USD, not CND)

Posted by John at July 9, 2004 08:06 AM


Post a comment
Name:


Email Address:


URL:


Comments: