Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

  1. #1
    monster_z Guest

    Default Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, everybody!
    After using ZA for a year by now I was wondering can I block all incoming and all outgoing traffic and processes except the traffic I want?
    Basically, I only use Mozila Firefox, Opera and sometimes Internet Explorer,Spyware Doctor and **bleep** Antivirus for surfing.
    I have also additionally configured ZA, but I was always wondering if I can block all other inbound and outbound processes and traffic?
    Thanks for your help.

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Actually there is no inbound traffic unless you have opened some ports. The traffic is initiated by the application itself and the returning traffic is normal.
    There are some windows processes which need to have internet access, many need trusted access and the svchost.exe needs the trusted server (for the dhcp and the dns).

    Keep in mind software firewalls are for controlling the ports, protocols and IPs. Control is the key word.
    What have you done so far for the extra configurations?

    Best regards.

  3. #3
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod and others!
    I apologize I didn't answer before, because right now my home computer is going for total re-installation of Windows XP (I didn't install it correctly and my Local Area Connection was limited, connectivity was screwed) so I'll simply tell you what I usually do with ZA.
    So, I send you this message on computer where I work.

    First I always go into Firewall-Advanced Options-enable ARP protection,I block trusted servers, Internet servers, lock hosts files and etc, I even uncheck "Allow VPN protocols option.

    Than I also go on Firewall-Custom-than I block just about anything in both medium and high level sections I even block option "allow broadcasting/multicasting" (for both Trusted and Internet servers), than in those same section I put number of ports blocked in both Internet and Trusted servers 0-65535.

    I also use OSFirewall, Advanced Application Interaction control and Advanced Component control.

    I also use Internet Lock (enabled) with those pass-lock enabled- despite someone said I'll lose connection, that practically never happens.

    However, I consider myself a novice user.
    I don't think it's possible to stealth or close all of your ports (30606 for antivirus updating, for example) even when Internet lock is enabled.
    Also, I'v seen when I go to the net, at Sunday from 7pm-9pm I'm constantly under all forms of attacks (and thanks to ZA they are all blocked)
    I've also notice that this newest version of ZA Pro actually remembers all of the attacks made by hackers (that I know because every Sunday when I wnet to the net, I've been under
    lot of attacks, after Sunday before I have collected over 4000 blocked intrusions, the Sunday after at same time period ZA Pro blocked them only 100-which means that only 100 attacks were new kind).

    Also, I need advice:
    When svchost.exe (Generic Host processes) asks me that it wants to modify rundll32.exe (or modify anything else in the computer) what should I do?

    Also, if ZA Pro asks me that if svchost.exe wants to act as a server what should I do?

    Again, big thanks!

  4. #4
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi Monster-Z

    Okay. The easy setting are used. Maybe confusing if these are not understood, but still easy enough to figure out.

    Users that lose the internet connection after using the Internet Lock made some mistakes. They probably never entered the router or gateway IP or DHCP server as Trusted in the Zones. Or/and the generic host process (svchost.exe) has no server rights for the Trusted server.

    All ports are stealthed by the ZA. The only time a port may not be stealthed is if there is an application which has been given server rights for the Internet Server.

    Lots of intrusions? What type of internet connection is used? Modem and PC or modem and router and PC or many PCs on the LAN?
    What are the IPs' of these intrusions? These intrusions even could be coming from your own provider doing network checks (if there is no hardware firewall in front of the PC).

    The svchost should be allowed to change the rundll32.exe. It probably is trying to inject (rundll32.exe operates the windows .dlls). If you are uncertain, just right click the svchost in the ZA program list and select the Properties and examine it.
    The vendor should say microsoft and the exact time/date of install should be there and the date of change. The version is listed and this can be verifed on the 'net. Even the file size can be helpful for a comparision to find out if it is malicious or not. Plus the location should be noted - if it is not located in the WINDOWS\system32 folder, then it is in the wrong location and it is very possiblely a malware.
    Even the Alert from the ZA has more information and can open the Properties and related files.
    Just check and have a look and the file can be determined to be good or bad. Then the decisions can be made safely and with some assurance.

    The svchost.exe can act as a server to the DNS server and the DHCP server. This information will be included in the Alert. The DNS will be mentioned in the Alert and it should be the same IP as the DNS that you are using from your provider. The DHCP server IP maybe also from your provider or from your modem or router. These can also be easily determined if these are legitimate. The server to the DNS is okay and presents no danger - this is basically a "private network" between you and no provider and there is nothing or nobody between you and the providers network. It is a direct connection with no other internet included. Very safe.
    The server for the svchost is needed because the port to the DNS and the DHCP must be opened to allow incoming return connections. This creates a smoother and assured domain name lookups and a properly maintained connection to the gateway/DHCP (keeps you connected).
    So, yes the svchost acting as a server for the Trusted Zone is perfectly okay.

    There are some tweaks to do, using the Expert rules for the applications. The details would be lengthy, But I am willing to help you with these if you so wish.

    Cheers, Oldsod
    Best regards.

  5. #5
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod!

    I again thank you for your answer. Since I'm extremely busy, I'll leave these configuration questions, and ask you some other day if you don't mind.

    However, since I have little time to post this, I'd like to ask you about what ZA uses for inbound protection. I've seen you said that ZA Anti-Spyware and all other ZA's products use full Stateful Packet Inspection (SPI), but does it use full Deep Packet Inspection (DPI) what toher technologies ZA uses for both inbound and outbound protection?

    Also, on some other forums that full Stateful Packet Inspection and full Deep Packet Inspection can't help us against UNKNOWN malware. Also if there is some new, unknown attack preformed by hacker, does it mean SPI and DPI are useless against unknown malware and also useless against UNKNOWN form of attacks?

    Also, does ZA protect against buffer overflows?

    Big thanks for any information you can give me.

  6. #6
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Thanks for your time and patience.

  7. #7
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    OK Monster-Z not a problem.

    SPI yes. DPI no. Because Deep Packet Inspection is not really needed (examing each and every single packet would slow down the connections) and DPI is more suited for the gateway appliance or gateways firewall for a larger LAN. Not really needed for the home user. Stately Packet Inspection is sufficent to ascertain if the connection is correct for the applications in question and for the protcol, ports and IPs involved. SPI is always better than a plain packet filter.

    The only way the firewall can really protect from malware is to actually open all the packets and have a look before passing the packets on. Impossible to do - it would mean every packet from the sites would have to be viewed in full. Only then would the firewall be able to say, yup there is a malicious link in this page, so I will remove it before passing it on. Checking the headers and the packets is sufficent for firewalling. For the time being, it is still up to the user to click or not click on the malicious link.

    Unwanted pings are dropped by the ZA (if configured properly in the Custom or in the Expert). All ports are stealthed and all ports are closed. This alone will provide optimal security for inbound protection and safety.

    Buffer overflows? No. You need a dedicated HIPS such as SSM</font color> or a dedicated buffer overflow tool such as WehnTrust</font color>. I have used the WehnTrust (it does sometimes need to have the AV and FW components set as exceptions) and it is very easy to use. I still use the SSM ( and the longer it runs the smoother it gets. OOPs I just checked with CastleCops Wiki for HIPS and see the SSM gives no buffer overflow protection. Only Prevx2 and ThreatFire do this. Well at least you have three choices left.
    The DEP of Windows does provide some buffer overflow protection and the 64 bit Windows Systems have a full protection.

    Does this help?

    Message Edited by Oldsod on 01-31-2008 09:23 PM
    Best regards.

  8. #8
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Thank you Monster-Z. All polite questions are always honored and respected. Oldsod
    Best regards.

  9. #9
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod.
    I have some questions that worried about ZoneAlarm.
    I also have a couple of questions as well.

    I only you'll have time and patience to answer me.

    1.I saw on CNET's website the discussion between users and one of the users named Santucci specifically said that with the new botnet programs out there, neither ZoneAlarm nor Windows Firewall can protect you. ZoneAlarm does a decent job of hiding your computer, but the minute you open any online application, you are exposed and vulnerable. Even ZoneAlarm Pro can be penetrated if it is visible.

    He also says that firewalls like ZoneAlarm are vulnerable to the variants of SQL Slammer and Stack Bot that ame out near the end of September or early October, carrying IRC Flood and other trojans. In the past three months, I've cleaned out machines with four different brands of simple firewalls: ZoneAlarm, **bleep**, **bleep**, and two different versions of McAfee (AOL S&amp;SC and MSC). All four of them had IRC Flood.

    Here is the link:;start=0

    Santucci also mentions that ZA DOESN'T HAVE Stateful Packet Inspection?
    Some of his words: Stateful Inspection works in a completely different way, and it's the same technology used in industrial hardware firewalls. What most people don't know however, is that if you use an SPI software firewall on a newer NT-based operating system (i.e. W2K, WXP), allowing it to control the network layer like it's intended to do, it works just as well as a hardware SPI firewall will.

    As a user of ZoneAlarm Pro should I be worried about?

    2.a)Question about leak-tests: as an experienced user Oldsod do you think leak-tests are really that important?

    2.b)According to Matousec's testing, ZA Pro fails OSfwbypass leak-test, PCflank leak-test and 2 leak-tests from CPILsuite (it passes the 1st leak-test of CPILsuite-because ZA Pro uses user-mode hooks on these leak-tests, instead of using kernel-level hooks.
    Here is the website where it was tested:
    Have you perhaps tested these leak-tests with the newest beta of ZA Pro or ZAISS?

    Your opinions highly needed.

    3.Is ZoneAlarm Pro or ZAISS APPLICATION LAYER FIREWALL with Stateful Packet Inspection?
    I somewhere read that application layer firewalls are new generations of firewalls (and Deep Packet Inspection firewalls)?

    4.Please, allow me few more questions.
    Is it true that DPI (DPI=Deep Packet Inspection Firewalls) are not efficient to recognize unknown malware inside the packets they check?
    Let's suppose you have an packet in which you have completely unknown malware unrecognized by any anti-virus/-spyware/-rootkit scanner. Would DPI failed to block this unknown malware?
    Is DPI than useless and powerless against such malware?
    Your opinions highly needed.

    Oldsod, I will ask you for a favor and ask you to read the answer from Melih and Egemen on this subject regarding DPI and SPI when an other poster asked them the same thing, it's only one page:

    I'd like to hear your opinions on this subject.

    Oldsod, I apologize if I become too annoying and too intrusive. It's just I'm happy that I can ask someone who is experienced in using firewalls (ZA in this case).
    The thing is I wanted to know more about SPI and DPI and how truly secure and effective they are, but somehow I came to an controversial theme between experts.
    Some of the firewall moderators say that packet-filtering checksum verification can't be compared with SPI and DPI, because packet-filtering checksum verification only &quot;sees&quot; if an connection is corrupted or not, while SPI instantly tells you whether the connection is bad or good.

    Big thank you again for your time and patience.

  10. #10
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    First of all, I usually take replies in some open forums very lightly and not seriously. Anybody can claim to be an expert or throw out hald truths and pass these off as gospel.

    Many regular forums with regular posters with regular answers are taken more seriously.

    Hmmm SQL Slammer was patched years ago by MS and it affects only server OSes not desktops. Once the enterprise server or business server was patched, this is no longer a risk. Besides which I would expect the AV to capture this anyways.

    Stock Bot - never heard of it. Can you elaborate on this?

    IRC Flood can only affect IRC users. Plus they have to misconfigure the IRC client to allow unwanted files to be allowing the unwanted file in.

    ZA has had stateful packet inspection for years and still does. By the way, check out what company patented the term stateful packet inspection. Should be no surprise.

    Leaktests for fun or leaktests for selling product or making money off of leaktests or the real deal on leaktests?
    Ok the real deal. I shall show you what the real-world uses of leaktests translate like. See


    Now here is the true list of real-world leaktest exploits not some paranoid imaginery pretend threats. Plus this is coming from their own web site.
    Read it? Good. Notice the troyans and such listed will get first attacked and contained by the antivirus. Got an updated and half decent antivirus? Good. Then not a problem. These cannot attack you if the antivirus nailed these first and put a stop to it. Oh the "Related Trojans that are Unknown" - gee if these are unknown, then are these still really real-world eploits?

    ZA is a stately packet inspection firewall that works on the application layer.

    You want DPI? Then get an enterprise hardware or software type of firewall and spend the big $$$. Not needed.

    Really does the firewall really need stateful packet inspection if the user has a a SPI/NAT router? No not needed if the user has a router and the router is already doing SPI. OTOH the NAT of the router is probably doing about 99.8 per cent of the filtering anyways regardless if the SPI is activated or not.

    You have a router? I am curious? Is it properly secured? You do any IRC or mIRC? Any P2P or file sharing? Yes no?
    Download from crazkz sites or prono? Use any illicit warez?
    Any online gaming? Use a social web sites?

    Other forum's threads, not really interested. They do their thing and I do mine. I do not belong to their forum, so I cannot comment.

    But SPI is about as far as you need to go. No more. DPI is too much $$, resources and will slow the connection on the desktop level.. Plus it will probaly confuse the users and the user will get frustrated in the end.

    Even a plain packet filter if used properly will be very safe and effective and best most of those leaktests. It takes time to set it up, but can be done - jut create or keep adding the allowed sites (whitelist) and keep blocking any other sites.
    Sure the leaktest will always beat the plain packet filter- it will be able hijack browsers, inject into processes and do all kinds of nasty things. But the leaktest itself will never be able to go the home or botnet or needed server. So the leaktest will fail. The packet filter will get walked all over, but the filtering will still hold and will block the unwanted sites or IPs/ports/protocols. Kind of funny that the lowly plain packet filter if set up will do the best job if applied properly?

    But most people have no real idea about networking or internet or firewalls and instead reply on products.
    Many people have no idea about safe hex or good security practises so they reply on products.
    Once they get infected and get frustrated, they blame not themselves but the products.

    Ever notice most enterprise desktops have no firewall (window firewall maybe or some firewalling built in the antivirus) and just an antivirus? Thy don't seem to be too worried.
    Because the enterprise lan is secured by people who know what they are doing. Plus the desktops are never doing P2P or IRC or file sharing. The emails and the IMs are properly protected. Often the web browsers/browser ports are using just several regular protocols and are blocked off from the any unusal ports/protocols. Bad and unwanted sites/ports/protocols are usually blocked off in the LAN.
    Kind of hard to get to at work if the site is blocked off or open bad mail if it was first filtered by the email server or use IRC if the IRC ports are blocked.


    Message Edited by Oldsod on 02-29-2008 04:24 PM
    Best regards.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts