Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Problem with ZoneAlarm's ARP Protection

  1. #1
    ohjeez Guest

    Default Problem with ZoneAlarm's ARP Protection

    ZoneAlarm's ARP protection apparently have some issues.
    I have also noticed that some other users are having the same problem.
    The problem with this protection mechanism is such that it causes the lost of connectivity after a certain amount of time.
    I have looked into this problem and it seems that my router/gateway periodically send ARP Request packets directly to my MAC address yet ZoneAlarm is blocking this, despite that it is coming from the gateway's MAC address. Since my router is not getting any ARP replies back, it does not know where to send packets back and therefore causing a lost in connectivity.
    I haven't figured out a way to have ZoneAlarm exclude my router from the protection, though I would thought that ZoneAlarm is smart enough to handle this on its own? I tried enabling ICS Client mode as well as adding my Gateway under ZoneAlarm's Firewall->Expert panel, yet no avail.
    Does anyone have any workarounds for this with the ARP protection mode on?
    Thanks.

    P.S. In terms of the Data Link layer, the ARP request is sent directly to my MAC address, but in terms of the network layer (ARP protocol), the target MAC address is 00:00:00:00:00:00.

    Message Edited by ohjeez on 08-12-2008 02:25 AM

    Message Edited by ohjeez on 08-12-2008 02:25 AM

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,290

    Default Re: Problem with ZoneAlarm's ARP Protection



    Hi!
    not expert at all on network issues.... but is your router IP added to the ZA firewall trusted zone (ZA firewall tab --> Zones)?

    Cheers,
    Fax

    Message Edited by fax on 08-12-2008 09:16 PM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    forum_moderator Guest

    Default Re: Problem with ZoneAlarm's ARP Protection

    Hello,ARP protection is by defualt not supposed to be turned on. You will need to turn ARP protection off since your having issues.Open ZAClick on FirewallClick on Main tabClick on the Advanced buttonIn the General setting section Un-check the Enable ARP Protection box.Forum Moderator

  4. #4
    ohjeez Guest

    Default Re: Problem with ZoneAlarm's ARP Protection

    @fax -- tried that, didn't work...

    @Forum-Moderator -- I understand that option is off by default. My question is how to use this feature without losing Internet connectivity. (One of the users on my current network really like playing with this stuff so I rather not being snopped on if possible)

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Problem with ZoneAlarm's ARP Protection


    <blockquote><hr>ohjeez wrote:
    @fax -- tried that, didn't work...

    @Forum-Moderator -- I understand that option is off by default. My question is how to use this feature without losing Internet connectivity. (One of the users on my current network really like playing with this stuff so I rather not being snopped on if possible)
    <hr></blockquote>


    ARP itself is a Link Layer (lowest layer) of the TCP/IP model. See http://www.faqs.org/rfcs/rfc1122.html for the correct reference material.

    Almost every software desktop firewall does not start to work until the Internet Layer (2nd layer) which covers ICMP and the IP. Some will not start to work until the Transport Layer (3rd layer) which covers the TCP and UDP.

    The ZA is no different, and skips the Link Layer, and works only from the Internet layer and upwards (if that makes any sense).


    What the ZA does see as ARP is what found in the MAC inforamtion of the broadcast (255.255.255.255) connections. And of course in the MAC as found in the packets sent/recieved between the computer and the DHCP/gateway server.


    Could you open the WINDOWS\Internet Logs folder and see if there is a LSPConflict.txt and a fwdb*.txt?
    More than likely there is a fwdb*.txt to be found and this file will contain important information. Important clues will be found.

    It is possible the ARP Cache of windows has become corrupted. Windows ARP Cache is dynamic not static.
    The ARP Cache also be viewed by the " arp -a " command or the " arp -g " command (without the quotation marks, of course). Invalid ARP entries will be seen as " 00-00-00-00-00-00 " (without the quotation marks, of course).




    The ARP Cache can be then flushed using the command
    " netsh interface ip delete arpcache " (without the quotation marks, of course). Once the ARP Cache is flushed, then immediately reboot.
    Once windows itself has been cleaned, the apr and ZA issue maybe resolved.

    Oldsod.
    Best regards.
    oldsod

  6. #6
    ohjeez Guest

    Default Re: Problem with ZoneAlarm's ARP Protection

    Thanks for the information, but I am not sure how your information relates to the ARP protection that ZA offers.
    AFAIK, ZA blocks unsolicited and ARP requests that are not directed to a Broadcast MAC address (I assume ff:ff:ff:ff:ff:ff in this case?)
    I have tried emptying the ARP cache with arp -d *, but that does nothing to prevent the router from sending keep-alive ARP requests.
    For some reason, the ARP request is not directed to ff:ff:ff:ff:ff:ff, but instead to my MAC address. For that reason, ZoneAlarm blocks the ARP request thinking that it is some kind of malicious attack.
    Currently I am not able to work around this either by adding the router to the Trusted Zone or using the Expert tab to allow everything into my computer that is coming from my router. I am guessing either these controls are separate from the ARP protection option, or maybe they work on a higher layer as you suggest.
    Hopefully there would be a workaround soon.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Problem with ZoneAlarm's ARP Protection

    ZA ARP Protection is not direct control of the ARP packets, but it is an indirect control as explained previously.

    "ff:ff:ff:ff:ff:ff" usually means not a MAC in the normal broadcast, but indication of a bad NIC.
    ff:ff:ff:ff:ff:ff maybe seen in the very first initial arp connections sent by windows, but all later connections will use the correct MAC of the computer and the gateway.
    If you are seeing a lot of the ff:ff:ff:ff:ff:ff, then consider a new NIC or new network card drivers.


    ARP requests should be using the correct MACs and not the broken MAC of ff:ff:ff:ff:ff:ff.

    Nor should the connections be blocked by the ZA.
    Your gateway must be listed as Trusted in the Zones of the Firewall.


    You should post the information listed in the .txt file of the Windows\Internet Logs as mentioned previously. The answer is in there.

    Oldsod
    Best regards.
    oldsod

  8. #8
    ohjeez Guest

    Default Re: Problem with ZoneAlarm's ARP Protection

    I do not see anything special in those text files or anything regarding ARP entries. Does logging for ARP have to be specially enabled?
    Thanks.

  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Problem with ZoneAlarm's ARP Protection


    <blockquote><hr>ohjeez wrote:
    I do not see anything special in those text files or anything regarding ARP entries. Does logging for ARP have to be specially enabled?
    Thanks.
    <hr></blockquote>
    No, the ARP does not have to be enabled.

    But the fwdb*.txt will have details of the dhcp and the dns connections events (including broadcasts), regarding failed or re-connection attempts.
    These are important to be read and understood to "fire wall de bug" events or issues.

    If there is a lspconflict.txt to be found, then the information will describe a dll conflict in the LSP.
    This can be from either a trioyan inserted in the LSP stack or from a dll previously/presently installed programs/applications which is in conflict with the ZA firewall.

    Oldsod.
    Best regards.
    oldsod

  10. #10
    ohjeez Guest

    Default Re: Problem with ZoneAlarm's ARP Protection

    Thanks for the reply.
    The only fw*.txt I can see is fwpktlog.txt, which contains:
    61171 LogFileCreated
    87968 Packet DROPPED: Proto: IP_UDP Flags: 0x0000000a Src: 10. 0. 0. 1 Dest: 10. 0. 0.197 SrcPort: 1900 DstPort: 1900
    90343 Packet DROPPED: Proto: IP_UDP Flags: 0x0000000a Src: 10. 0. 0. 1 Dest: 10. 0. 0.197 SrcPort: 1900 DstPort: 1900
    Other than that, no files relating to fw*.txt or lspconflict.txt are found in that directory.
    There is also no third party LSPs besides the standard Winsock and TCPIP ones.
    Thanks.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •