Results 1 to 10 of 10

Thread: Blocking UDP on loppback address

  1. #1
    lfuh Guest

    Default Blocking UDP on loppback address

    Hi everyone,


    I am trying out latest ZoneAlarm 7.1 on Vista (business / ultima) and found some problem with my program.


    First of all, my program uses couple of UDP sockets and bind them to loopback address, so the port number will be assigned by the system and won't be aconstant port.

    One
    UDP sockets will send to the other UDP sockets for some synchronization purpose. all
    on loopback address.


    For example, I will have a UDP socket handle=380 (127.0.0.1:50786) after binding






























    and another UDP socket handle=368 (127.0.0.1:50785) after binding.


    Now socket handle=380 will connect to 127.0.0.1:50785 and send few bytes of data,


    I've set Zonealarm to treat loopback address as trusted rule, and list my process/program as ask, now here is what happened.

    1. the first time it runs, ZA will prompt me if you allow the connection to 127.0.0.1:xxxx for my program, I say allow and remember the setting, and things are working fine.

    2. I ran my program again, ZA won't ask me anything anymore, but since the socket will now bind to different port number, it will block the send() call, so the program breaks.

    The same program somehow works fine on XP with the same latest ZA 7.1.

    Although I believe ZA has different implementation in XP vs. Vista. Their XP seems to use Kaspsersky's engine, where I didn't find the same driver exists on Vista.


    My question is, even I place my program as allowed for all access/server in the program control, it doesn't help, it will just block the UDP socket on the loopback address.
    The only time it worked is if I reset the setting and have ZA to ask for permission and it works for the first time.
    I mean, why would it add a whitelist rule for process only for 1 iport combination, is it the case?
    Anyway to add a processname to a truely whitelist?
    It seems to me ZA's implementation is not very predictable.
    I've been tested with various firewall software, Norton/McAfee/TrendMicro/CA/Kaspersky... they all worked fine with my program in XP/Vista.


    Anybody has anyway to lift the blocking mechanism in ZA, at least for loopback for a process?

    Operating System:Windows Vista Business
    Software Version:7.1 (Vista)
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocking UDP on loppback address

    I really doubt the antivirus has anything to do with the networking filtering of the ZA firewall. It is the ZA that filters the networking, not an antivirus scanner's engine.

    You indicate these are UDP connections of the localhost, but do not specify if these localhost connections are outgoing ( access) or incoming (server).
    It may quite possible only the Trusted Access has been allowed and not the Trusted Server. The Trusted Server rights maybe needed for this program you are using, if there localhost connection not just going to the localhost, but also from the localhost to other localhost posts, all for the programs own connections or for connections to other programs/files.
    The Trusted Server maybe needed, regardless of the protocol involved.
    The non route address (0.0.0.0) maybe connected as well, depending on this program and what it is and what it does.

    There maybe parent/child processes involved as well, perhaps not seen or stated in your post.

    First make sure not only the Trusted Access is allowed, but also the Trusted Server is also allowed.
    Next right click the program involved (as seen in the ZA's program listing) and open the Options and check the first two items and OK.
    Give the program full trust access in the rating - super rating or the three green bars.
    Enable the Privacy if it seen in the Options Menu.

    Next make sure the ZA Program Control slider is at Medium to enable the ZA into a learning state and not the High which is a final state of control.

    Turn off the ZA and then re-enable the ZA.

    Now try the application - it should run okay.
    After a few weeks or so, the ZA will return the Program Control slider automatically on it's own to the High setting or just do this manually.

    If this still fails and has failures of it's connections, then simply do some Manual settings.
    The manual setting are made with Expert Rules of the application itself.
    Open the Options in the right click of the application in the ZA program listing.
    Select the Expert. tab of the window.
    The settings should be enabled, and logging/alerts as you desire them to be (you want to first allow the loggings and alerts for a short period of time for observations/tracings and once you decide all is well, then remove the loggings and alerts for less distractions).
    The source should be listed with loopback address of 127.0.0.1, the destination should be both the loopback of 127.0.0.1 and the non-route address of 0.0.0.0
    The Protocol should be "TCP/UDP" using it's "Any" option.
    The Time should be the default"Any".
    Apply and OK.

    As to whether this application does any other connections, you have failed to mention.
    You could further compliment the Expert rules with dns connections (possible dhcp or local area network connections), internet connection going to specific or general internet addresses by general or specific protocols and controlled by both local and remote port (and port ranges).

    Oldsod.
    Best regards.
    oldsod

  3. #3
    lfuh Guest

    Default Re: Blocking UDP on loppback address

    Hi Oldsod,

    I've tried both your methods, I even created an expert rule to allow
    everthing set to any,
    but it only works for the first time, if I run my program the second time, it will fail again.

    I looked at the socket layer call sequence and found that it could be ZA is blocking my UDP socket's send() call, the socket creation, binding, connect works as expected, but somehow the send() doesn't trigger the other end of the socket trigger readable.

    Here is the code sequence. It's a single process multiple threads.

    // (1) Create the server IPC socket.

    iIpcServer=WSASocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED))



    // (2) Set the server IPC socket non-blocking.

    ioctlsocket(iIpcServer, FIONBIO, ADDRESS_OF(nonblocking=1))



    // (3) Bind the server IPC socket. (sai is set to 127.0.0.1)

    bind(iIpcServer, (sockaddr*)ADDRESS_OF(sai), sizeof(sai))



    // (4) Create the client IPC socket.

    iIpcClient=WSASocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED))



    // (5) Bind the client IPC socket. (sai is set to 127.0.0.1)

    bind(iIpcClient, (sockaddr*)ADDRESS_OF(sai), sizeof(sai))



    // (6) Connect the server IPC socket.

    getsockname(iIpcClient, (sockaddr*)ADDRESS_OF(sai), ADDRESS_OF(length=sizeof(sai)))

    connect(iIpcServer, (sockaddr*)ADDRESS_OF(sai), sizeof(sai))



    // (7) Connect the client IPC socket.

    getsockname(iIpcServer, (sockaddr*)ADDRESS_OF(sai), ADDRESS_OF(length=sizeof(sai))

    connect(iIpcClient, (sockaddr*)ADDRESS_OF(sai), sizeof(sai))

    These all worked as expected, next, we will do

    send(iIpcClient,...) with only 1 byte of data for triggering purpose to the other end, from the Winsock layer monitoring tool the call will succeed

    but the other end of the socket (iIpcServer)
    never gets a readable event in a select() loop, so it never wake up trying to recv(iIpcClient...) the data.




    If the firewall is not blocking the connection, what other component in ZA is blocking this UDP send()? Is there a way to work around it, why will it work for the
    first time
    then stop working (the port will be different everytime the program starts), what did ZA learn and consider this UDP socket communication as a threat?




    Thanks

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocking UDP on loppback address

    This is not a Zone Alarm issue.
    It is not the fault of the ZA that the sockets connection are failing within Vista.
    This is a Windows Vista Operating System issue.
    Sooner or later this Vista issue will be repaired in either SP2 or SP3.
    Until then or that time, you are out of luck.
    Now you know why I have not upgraded to Vista and still stay at XP.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    lfuh Guest

    Default Re: Blocking UDP on loppback address

    Ok.

    I am not sure what's the issue with ZA and Vista, if I uninstall ZA everything works fine.
    I guess there is no other way around it, I will need to black list ZA in our product when running under Vista.
    Thanks for the information.
    Louis

  6. #6
    lfuh Guest

    Default Re: Blocking UDP on loppback address

    BTW,
    is there an online FAQ or knowledge based link about this issue with Vista?
    I would like to refer to it when I document the behavior with our product.
    Thanks a lot.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocking UDP on loppback address

    The issue is with Vista - one day the certain ICMP are blocked on Vista's with the ZA, the next day the SP1 is installed and that day, suddenly and mysteriously those ICMP starts or function.
    ZA Vistas users making a fuss about the ZA suddenly discovered the ZA "worked" right immediately after installing the SP1.
    Wait for Vista's SP2 - I am very sure other issues and yours will be solved suddenly and mysteriously.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocking UDP on loppback address

    You would have to contact Zone Labs directly and make your inquiry.
    This is a ZA users forum and I am just a ZA user as are the other posters, I am not an employee or company rep.

    Oldsod.
    Best regards.
    oldsod

  9. #9
    lfuh Guest

    Default Re: Blocking UDP on loppback address

    Well, for you to spend a lot of time on this user forum is a great deal of dedication, my salute to you.

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocking UDP on loppback address

    Thank you.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •