Results 1 to 10 of 10

Thread: UDP expert rules - concept rather than specifics...

  1. #1
    brewabeer Guest

    Default UDP expert rules - concept rather than specifics...

    Hi folks,

    I have created expert rules for the first time, to try and solve the annoying UDP failure I used to get with eMule.

    I have got it working, but I am not confident I have firm grip on the concept behind what I've just done, and I'm worried that I may be exposing myself to risk, so if anyone feels like enlightening me that would be much appreciated!

    I have forwarded 2 ports on my router to the PC running eMule. Port xxx10 is TCP, port xxx20 is UDP.

    ZA on the target computer dealt with TCP when I created rules for eMule, so no problem there. The confusion I have is in 2 parts:

    1. Following advice I have found on a number of threads, I have created an 'allow UDP' rule for eMule. However, since there is no port specified in the rule (or specifiable as far as I can see), presumably whenever eMule is running ZA will accept UDP connections on any port?!

    2. Further to creating an expert rule for eMule, I have also had to create an expert rule under 'firewall' - apparently allowing unconditional UDP access to any port, at any time (time slots are no good to me, I need UDP whenever I'm running eMule). Which raises the question, if I have just created a non-specific rule to allow UDP at all times, then what purpose does the eMule-specific rule serve?!

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: UDP expert rules - concept rather than specifics...


    <blockquote><hr>brewabeer wrote:
    Hi folks,

    I have created expert rules for the first time, to try and solve the annoying UDP failure I used to get with eMule.

    I have got it working, but I am not confident I have firm grip on the concept behind what I've just done, and I'm worried that I may be exposing myself to risk, so if anyone feels like enlightening me that would be much appreciated!

    I have forwarded 2 ports on my router to the PC running eMule. Port xxx10 is TCP, port xxx20 is UDP.

    ZA on the target computer dealt with TCP when I created rules for eMule, so no problem there. The confusion I have is in 2 parts:

    1. Following advice I have found on a number of threads, I have created an 'allow UDP' rule for eMule. However, since there is no port specified in the rule (or specifiable as far as I can see), presumably whenever eMule is running ZA will accept UDP connections on any port?!

    2. Further to creating an expert rule for eMule, I have also had to create an expert rule under 'firewall' - apparently allowing unconditional UDP access to any port, at any time (time slots are no good to me, I need UDP whenever I'm running eMule). Which raises the question, if I have just created a non-specific rule to allow UDP at all times, then what purpose does the eMule-specific rule serve?!

    Operating System:
    Windows XP Pro
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Pro

    <hr></blockquote>


    1. in the Expert tab found in the Options in right click of the eMule listed in the ZA Program Control are ports to be used as per UDP. Open the Protocol, click Modify and then select the Add Protocol and once again, select UDP in the dropdown and both Source and Destination Ports can be set. Basically enter the Source port as any and the destination port as per required by the eMule.
    Then after all of the required ports and Source/Destination are entered and properly ranked, it is done. Your UDP for the eMule is controlled. If any TCP or DNS lookup is needed, then make rules for these too.

    This works for the Expert in the Firewall. The above details in the Protocol work here too.


    Again the specific UDP ports to be opened can be specified. Even specific UDP can be set in the Custom button of the Main of the Firewall - under the Internet and Trusted Zone tabs under the High security settings. This way can be used instead of the Expert in the Firewall.

    Does this help with the UDP is open idea and not properly secured?

    Another ZA user asked about eMule just a week ago or so.
    See his thread here.

    Cheers, Oldsod
    Best regards.
    oldsod

  3. #3
    brewabeer Guest

    Default Re: UDP expert rules - concept rather than specifics...

    Thanks Oldsod:

    Another ZA user asked about eMule just a week ago or so.
    See his thread here.


    I did have a pretty good read of that thread and the links that you posted - they got me as far as I got, so thanks! Maybe I just couldn't quite digest the relevant bits properly, because I am still a bit in the dark.

    1. in the Expert tab found in the Options in right click of the eMule listed in the ZA Program Control are ports to be used as per UDP. Open the Protocol, click Modify and then select the Add Protocol and once again, select UDP in the dropdown and both Source and Destination Ports can be set. Basically enter the Source port as any and the destination port as per required by the eMule.

    OK, I hadn't specified any ports - simply because in the drop-down list I couldn't see 'port' listed! Which option should I select from that list? Then do I just add the actual 4-digit UDP port number? I currently have &quot;Any&quot; in both 'Source' and 'Destination'.

    Then after all of the required ports and Source/Destination are entered and properly ranked, it is done. Your UDP for the eMule is controlled.

    So am I right in understanding that a standard ZA installation has 2 levels of UDP blocking - firstly it allows no UDP traffic whatsoever (unless I enable it using firewall expert rule); secondly, it allows no applications to use UDP (unless I enable it using program expert rule)?

    If any TCP or DNS lookup is needed, then make rules for these too.

    I assume that this is not required, but I will check again after I change 'Destination' from &quot;Any&quot; to the specific port #.

    This works for the Expert in the Firewall. The above details in the Protocol work here too.

    Again the specific UDP ports to be opened can be specified. Even specific UDP can be set in the Custom button of the Main of the Firewall - under the Internet and Trusted Zone tabs under the High security settings. This way can be used instead of the Expert in the Firewall.


    Aha, interesting. Is one method better than the other?

    Does this help with the UDP is open idea and not properly secured?

    I think so, especially if you can confirm my understanding!

    I need to tell Zone Alarm to allow UDP on port xxxx, then I need to tell ZA to allow eMule to use UDP on that port.

    Will ZA apply a 'stealth' status to the UDP port when eMule isn't running? It seems to do this with TCP (as confirmed by ShieldsUp), but if I create rules that open a port for UDP then wouldn't that make it permanently open? I am sure it is a negligible threat in any case, but ZA seems so thorough on every other level that I would be surprised if it left this port open permanently.

    Again thanks for helping me with this!

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: UDP expert rules - concept rather than specifics...

    In the dropdowns for the destination and source ports? Just ignore that as these are just standard presets - but in the box next to it which says Any - type in your port or port range (ie 10-21). The continue with another Protocol entry to create the second port and so forth. Thus the ports are entered as wanted.

    Oldsod
    Best regards.
    oldsod

  5. #5
    brewabeer Guest

    Default Re: UDP expert rules - concept rather than specifics...

    Thanks again Oldsod,

    Whenever I try to edit the source or destination field, the only options I am given are to 'add location' or 'remove location'.

    If I select 'add location', I am faced with the list:

    My Computer
    Trusted Zone
    Internet Zone
    Any
    -----
    Host/Site
    IP Address
    IP Range
    Subnet
    Gateway
    New Group...
    Existing Group...

    I don't see any way to ignore this list and type in the port numbers - it looks like I must choose an option first?

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: UDP expert rules - concept rather than specifics...

    Look in the lower left box labelled Protocol. It is in there.

    I will be back in the afternoon. I will show you with some screen shots, to make it easier. The lower left box named Protocol is what I was talking about in the previous post.

    Oldsod

    Message Edited by Oldsod on 12-22-2007 04:23 AM
    Best regards.
    oldsod

  7. #7
    brewabeer Guest

    Default Re: UDP expert rules - concept rather than specifics...

    No need, your description was good enough - I've found it and corrected it, thank you!
    Still a bit concerned that my port number xxxx will be permanently 'open' to UDP though - I don't know what the technical ramifications of this are, but surely if somebody decided to scan my ports they would get a response from that port?
    Is there a way to
    'stealth' the port whenever eMule is not running?

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: UDP expert rules - concept rather than specifics...

    Actually the ZA stealths and closes all ports by default.

    The new rules you have added will not have these specified ports open all the time. It now just means these specified ports now can become opened, instead of the default closed state and only by the eMule application.

    When the eMule is used, the Expert rules will begin to be used and then, only then will the eMule is allowed to open the specified ports. These ports will remain closed when the eMule is not in use. This is why the Expert Rules continue in the Program Control per the application - to control these special events. Once the eMule is closed on the PC, the ZA will immediately close those ports.

    (This control of the traffic by the Expert Rules is specific for the directions, destinations, protocols, ports and even by the time/date.)

    Once you get some of the Expert Rules in place, I was going to explain this to you, since you were naturally concerned about security risks.

    There are none.

    If some random/unwanted traffic attempts to enter the PC through special opened ports of the eMule while it is running ports, the ZA will first check to see if this traffic is going to the eMule client. If this traffic is not related to the eMule, then the the ZA will immediately drop these connections. (in other words, if this unwanted inbound connections wants to connect through the eMule ports to the explorer.exe, the ZA immediately will block it). Only the traffic directed towards the eMule will be able to reach the eMule. Nothing else.
    The ZA has a long memory on all of the connections sent and accepted. It does keep excellent track of things. All in all, a very good firewall.



    Still the traffic coming inbound for these specific ports is limited - the usual hacker will not bother. There is a much stronger chance of some malware hiding in a video or some files and then attempting to exploit the PC.

    Okay I think I got the answer across to you. Feel better?

    Best regards, Oldsod

    Message Edited by Oldsod on 12-22-2007 03:26 PM
    Best regards.
    oldsod

  9. #9
    brewabeer Guest

    Default Re: UDP expert rules - concept rather than specifics...

    Thanks again Oldsod, your
    explanation is fantastic and
    very reassuring!
    I now feel confident that my
    system is as secure as possible whilst still alowing eMule the connections it needs, so thank you.

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: UDP expert rules - concept rather than specifics...

    You are welcome, brewabeer.

    All of the seasons best to you!
    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •