Results 1 to 2 of 2

Thread: Rehash of "Applications access to 127.0.0.1"

  1. #1
    mr_bliss Guest

    Default Rehash of "Applications access to 127.0.0.1"

    http://forums.zonealarm.com/zonelabs...ssage.id=17826

    Oldsod wrote:
    Yes, these are perfectly safe and very normal.

    I've been having strange behavior on my machine where dns and tcip/ip routing stops working and I'm forced to reboot. I installed ZoneAlarm as I was concerned that my machine had possibly become exploited and I wanted to track outbound network traffic. I was very surprised to see IE sending packets to 127.0.0.1 on startup before issuing a dns query and page request for the default homepage. It seemed even stranger than blocking this connection attempt disables all subsequent network activity for that IE session. I'm glad to see the topic already being discussed and wondered where I could find more info on why this behavior is "safe and very normal". I'd just accept the answer as fact but it still feels like something isn't right and I'd love to know more about what this initial connection to local host accomplishes and why it occurs in any app that hosts IE.

    Thanks,

    John

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm (Free)
    Software Version:7.0

  2. #2
    Join Date
    Dec 2005
    Posts
    8,974

    Default Re: Rehash of "Applications access to 127.0.0.1"

    Hi

    Localhost (127.0.0.1) is actually the internal internet address of the operating system. It can not be accessed by anything external nor can it go out to anything external. If one component or application needs to communicate to another, it will often use the localhost to get to it. All and every computer operating system has to have a localhost address. All windows operating systems use the 127.0.0.1 address for the localhost address.


    Commonly used by software firewalls, antispyware scanners, svchost.exe and the antivirus and the explorer.exe. Occasionally the windows updater applications or IE will use the localhost for the doing the actual windows update download/install. Occassionally some of the windows components will use the localhost for communications to get across to other applications.

    When you open a browser and go to a site, the browser actually uses the localhost address to have a reference- it needs the address to actually know where it is. Then it goes to the dns server to get the exact address for the site required in the address bar of the browser. When the browser is going to the dns server, the dns sends the information to your browser and the browser can now go the requested site. But several other things are happening:

    The windows OS needed to get to the DHCP server to get internet. The svchost is needed for the connection to the dns and the dhcp. Once things are going internet or to the LAN (or router or the modem), the localhost address is no longer used. Instead the address assigned by the router or the provider is now used. The localhost address would not be acceptable. Every connection to any server or pc on the internet, your ip is given out. Your ip must be given out or else the information requested by the browser, email, updater, etc would not be received by your pc. The server or other pc must have your ip to know where to send the information that your pc/browser/updater/email/etc is asking for in the first place.

    This is the way the internet and computers work in a nut shell.

    By putting the router (or modem if no router) ip with it's subnet as trusted, the connection between the pc's operating systme and the router is always faster and smoother. The operating systme does not have to look all the time for the dhcp connection and if the connection stops or breaks off, the operating system always knows where to immediately go to when it needs a new connection. So the connection is always maintained and when stopped the operating system always knows exactly where to get the connection re-established.

    Both the operating system and the internet-using applications need the dns server(s). Without the dns server none would get the exact address that it needs. If the dns server(s) are not manually entered into the firewall (or into the properties of the internet protocol of the network connection if not using a third party software), it will go looking for one- anywhere it can. That maybe successful and maybe not. Putting the dns server as trusted is not just faster and better, but also more secure.

    So......

    the localhost (127.0.0.1) as trusted is okay. The firewall is just verifing what windows would do anyways.

    the dhcp as trusted is okay. The firewall is just verifing what windows would do anyways. But with the correct information the firewall knows what the wrong dhcp is wrong and ignore the wrong one and what the correct dhcp is to be used and use the right one. When all windows operating system startup, they do a " multicast ". This basically is a lookaround for the other computers on the internet or if behind a hardware firewall (or lan) for the dhcp. Once it gets an answer back it follows it up with a dhcp connection attempt. If that dhcp attempt is suceesful, then it can get the dns server and get internet.
    But your dhcp is not trusted in the ZA- so after a while the dhcp is not used and the connection is dropped. Now comes your trouble- the dhcp server can only found aagain and re established with a multicast, but the multicast is only sent out when the operating system is started or the physical connection is established. By placing the dhcp as trusted, the ZA knows what to is happening and allows the dhcp connections to continue even if they are dropped. It no longer stops it from going to the correctly entered address.

    the dns as trusted is okay. The firewall is just verifing what windows would do anyways. But with the correct information the firewall knows what the wrong dns is wrong and ignore those and what the correct dns really is and use the right one.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •