Results 1 to 6 of 6

Thread: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

  1. #1
    kelendral Guest

    Default Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    Ok, I have set up the following access for my newsreader.

    Trust Level: ?
    Access Trusted: Allow
    Access Internet: Allow
    Server Trusted: Block
    Server Internet: Block
    Send Mail: Block

    I have Expert rules as follows
    Rank 1: allow access to DNS servers on port 53, logged
    Rank 2: allow access to news servers from company A on port 119, logged
    Rank 3: allow access to news servers from company B on port 9000, logged
    Rank 4: Block any traffic on any port, alert & log.

    PROBLEM DESCRIPTION:
    This rule set appears to work and do what I want correctly most of the time. It blocks the call home and upgrade checks for newsreader and yet allows me to get data from my news servers.
    However, it would appear zone Alarm has a problem processing the rules fast enough when multiple connections are being instantiated (such as program start, or when several article downloads complete and thus start next article at the same time).
    When this race condition occurs of multiple connections being instantiated at the same time Zone Alarm tends to block several to all the connections.
    I would really like to know how to avoid this problem while continuing to use the enhanced security of expert rules.
    I've included below some log entries that clearly demonstrate this issue where Zone Alarm blocked 1 or 3 connections going to my local ISPs news server.
    It should be noted that the IP is the same so it is not the commonly blamed a server can have multiple IP addresses.
    The example below comes from an instance where 6 total connections were requested to be opened. 3 to the local news server and 3 to the remote.
    This is extremely annoying and a major slowdown for my downloads as I then either have to manually reset the failed connection, or wait the 15 seconds for the newsreader to do it automatically and try again. There are no visible connection issues when Zone Alarm is not running.



    LOG ENTRIES:

    Description The firewall rules for newsreader.exe allow an outgoing TCP connection to 209.197.15.254:NNTP.
    Rating Medium
    Date / Time 2008/07/22 01:55:24-4:00 GMT
    Type Program Access
    Program newsreader.exe
    Source IP
    Destination IP 209.197.15.254:119
    Direction Outgoing (connect)
    Action Taken Allowed
    Count 2
    Source DNS
    Destination DNS optonline-nntp.iad.highwinds-media.com

    Description The firewall rules for newsreader.exe blocked an outgoing TCP connection to 209.197.15.254:NNTP.
    Rating Medium
    Date / Time 2008/07/22 01:55:24-4:00 GMT
    Type Program Access
    Program newsreader.exe
    Source IP
    Destination IP 209.197.15.254:119
    Direction Outgoing (connect)
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS optonline-nntp.iad.highwinds-media.com

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    Hmm. One of the impressive features of the ZA is the nifty expert rules and how well it handles these and be customized. To date I have a couple thousand blocked IP/IP ranges in the Zones, 145 rules in the Expert in the Firewall and each and every application listed have their own Expert Application rules.

    Before we shall begin, set the Alerts Events Shown and the Event Logging to High and ON.
    Open the Advanced and select the Check All in the Alert Events tab, as this also sets the logging to High. Now the logging and alerts are maximized for better tracking and debugging of this issue.

    Comments on the rules now used:
    First rank dns.
    The source and the destination should both include the My Computer and the DNS servers, not just My Computer in the Source and the DNS servers in the destination. The Protocol should allow for both outgoing and incoming connections for the port 53 (all by UDP, but some prefer tcp/udp outgoing and the usual udp incoming). This allows for the dns server to re-establish connections or continue and resume the connection thus speeding the lookups instead of establishing newer dns connections.
    See http://forum.zonelabs.org/zonelabs/b...ssage.id=53075 for a previous post for the dns connections since the latest ms update for randomization of the local ports to the dns servers.
    Plus myself, I skip the logging of the dns connections as this does become redunant and is basically a waste of time to read or for getting logged. The actual connections have more importance and this is where all of the details are found. Once things are properly figured out and all is running smoothly, of course.

    But frankly I would add the first rank rule for the loopback and make the dns lookups the second rank. Something to the effect of the loopback (127.0.0.1) for the Source to the loopback (127.0.0.1) for the Destination (and perhaps include the zero octet address of 0.0.0.0 in the destination as well) with Any TCP for the protocol.

    Third and fourth ranks rules maybe have incorrect source ports listed or incorrect range of ports (if the vlocked event is because of incorrect source ports or port range) or the exact TCP Flags for the blocked connections are not properly read. If the blocked connection is a SYN or ACK then there is an issue. But if something like RST is logged, then not an issue if the new server already sent a FIN flag.
    Another consideration is including the ICMP for the newsreader - it may well be trying to ping or use destination unreachable for establishing connections either to the newsserver or the dns servers. Use Alert and Log for the Any ICMP.

    The expert rules for the applications should be duplicated into the expert of the firewall - the dns and the newsserver itself (possible range of 209.197.12.0 thru
    209.197.15.255 for the www.newshosting.com site). Along with the ports for the destination and the source.
    (Not to sure how the newserver works but the exact ip range maybe added to the application rule if there is no particular servers and it is served from random IPs)

    But I would suggest to allow incoming connections and not just outgoing connections to the newsserver, as can be the problem. Yes this does open the port to the newsserver, but it is only open to this particular server and any other port scan or port connection attempt from any other IP will still see the ports as stealthed and closed (to them). Using the correct IP/IP range and ports for the rules does create the proper safe guards - the application is the only program able to use the ports and nothing else can be used in it's place to threaten the computer.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    kelendral Guest

    Default Re: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    Previous settings:
    Alert Events: Medium
    Event Logging: On
    Program Logging: High

    Current Settings:
    Alert Events: High
    Event Logging: On
    Program Logging: High

    I've changed the Newsreader configuration to disable the second server and matched my expert rules to such to attempt to debug this issue.
    I currently have no Expert rules defined at the firewall level.
    I currently have only 3 expert rules defined for newsreader.exe as below.

    Current Expert Program Rules (All Rules have the following - Source: Any - Time: Any):
    Rank 1: DNS - Destination: IP Address of DNS Servers - Protocol: TCP & UDP, Source Other/Any, Destination DNS/53
    Rank 2: OOL - Destination: Named Address news.optonline.net (lookup resolves to
    optonline-nntp.iad.highwinds-media.com [209.197.15.254]} - Protocol: TCP, Source Other/Any, Destination NNTP/119
    Rank 3: Block - Destination: Any - Protocol Any

    No new events were logged or alerted during a connect attempt which resulted in 2 failed connections and 1 successful (events had similar log to above except in this case it was 1 success, then 2 blocked in the order on the log).

    Questions about the request to open additional accesses: Why is there such a need if no event is being logged other than the firewall saying it blocked the specific connection? Does the firewall fails to properly log and display events? Does the firewall improperly log and handle events? Does the firewall not properly handle and log incoming connection attempts (this is a big issue if so)?

    I will attempt the suggested loosening of security to see if the incorrect, and reasonless blocking is corrected. Although, per my above questions this calls into question the reliability of the firewall to properly handle events.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    You still must include both My Computer and the DNS server(s) in both the Source and the Destination or else the return connections from the DNS servers will be dropped.
    Plus the Protocol should have two entries - one for outgoing to the DNS port 53 from Any and a second entry for incoming DNS port 53 to the Source of Any.

    Any associated processes either by parent or child process involved with the news reader must also have internet and trusted accesses.

    I suppose you missed the ICMP inclusions.
    Did you duplicate the rules for the application in the expert of the firewall?

    The failed events have what TCP Flags? Which direction of the connection? What ports/protocols?
    Failed logging does not exist. Check the logs for a previous applications/files which is blocked - it is more than likely related to these events. It is not just the newsreader that is involved, but all of the related processes that are involved as the ZA checks everything. Any blocked related application will directly effect the newsreader connections/performance.

    If you just added the IP or possiblely more correctly the IP range instead of the just the IP.

    See http://donhoover.net/ for extra ZA help.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    kelendral Guest

    Default Re: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    I think you are missing the point.

    This problem occurs only during a race condition when the newsreader opens all of it's connections at once. It will block some, but not all of the threads connecting. Please review the logs from the first post. 1 of 3 threads was blocked to the same IP address in the same second. This is how it appears when this issue occurs.

    I have tried your suggestions since the last post and continue to have this issue. It is most notable is I press disconnect on my newsreader and then have the newsreader connect all connections again (hence showing that all rules were working if all connections and the running program had already been established without closing the program). The reason it is most notable at this point is because that forces all the connections to open at once, and thus the conflict/race condition. If I manually tell each connection/thread to start nicely staggered there is no problem until such time as multiple downloads happen to complete and thus start the next download at the same moment.

    The logs did not show any other errors or blocking in the 15 minutes prior to my testing.

    Again, this only happens during a race condition where multiple outgoing connections are attempted to be established from the same program at the same time. Staggered connections appear fine.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Incorrect Blocking - Newsreader & other programs opening connections fast (race condition)

    Contact Technical Support, free support by email:

    https://www.zonealarm.com/store/cont...ch_support.jsp

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •