Results 1 to 9 of 9

Thread: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

  1. #1
    tjmachineman Guest

    Default Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    Doesn't a block all rule at the bottom of the Firewall expert rules block access to all Program expert rules? Since ZAP reads the firewall rules first?A moderator post suggests setting upexpert rules for programs (Outlook specifically) andother posts suggest using a block all rule at the bottom. Wouldn't it make sense for ZAP to read the program rules first and then the expert rules?? Maybe I'm losing it, but if I only want Outlook to access multiple SMTP & POP servers why would I put the rule in a Firewallexpert rule? This would allow any other mail client OR program to access those POP3 & SMTP servers. NOT what I want. And then if I put that same rule in theProgram expert rule for Outlook, it wouldn'teven be looked at due to the matchof the "block all" ruleat the bottom of theFirewall expert rules correct?I want nothing in or out of my network unless I tell it to do so.SO, I put on a program expert rule to allow just Outlook to access those, and in line with several posts I put a block all at the bottom of my firewall expert rules. Hmmm, so since this software firewall (ZAP) reads firewall expert rules first the block all stops any program rules from being executed right? So, what am I missing? Whatgood are any of the program expert rules then?? I only want specific applications to have access and I want to block all in my firewall expert rules. Looks like I'm SOL or am I way to tired and missed something?

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  2. #2
    billc Guest

    Default Re: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    Maybe I'm the one that misunderstands, but if you want to block all your programs, then why not put a red X next to them in your ZA Program Control > Programs and put a blue question mark next to the ones you want to permit access when you want?

  3. #3
    tjmachineman Guest

    Default Re: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    Thanks for the reply! But we're out of sync... I may have been a little wordy, let me try again (ha! more words). Re: your suggestion of blue question marks: I check email 20 times a day and would never want to click the permit button for just Outlook to all my smtp and pop3 server accesses all day long (besides wouldn't a firewall block all rule kill it before it got to the ?)??. But, I only want to allow certain programs certain access. The Outlook rules posted on the bottom of this link http://forum.zonelabs.org/zonelabs/b...ge.id=150#M150 are what I'm trying to accomplish, however I believe the moderator is suggesting this set of rules be put in the "Firewall expert rules" correct? (otherwise, why would he name a rule OE rule (Rule 2) if you're putting the rule under the "Outlook" Program Expert rules? and not something like SMTP POP3 ACCESS?If the rules for OE suggested in the above link are actually for the Firewall expert rules, then as I said before, I would be allowing any and all programs access to those rules (or to all my SMTP & Pop3) servers, when I only want to allow Outlook, correct???? And if not, and the above OE rules were meant to be put in the Program Firewall rules, then the bottom "block all" Firewall rule would never even look at the program rule.Several places in these forms I've seen a "block all" rule suggested (and I usually do this on all software firewalls). The question, am I correct in assuming the block all rule in the firewall expert rules would match and no program expert rules would be even looked at??? I don't want to block "all programs", I want to allow certain programs certain access only and then block all other traffic from anywhere on my computer at the very end of all rules no matter how they are read. That's why I'm asking / suggesting, by reading the program rules first, if there is a match, process it, (allow only Outlook to go to the SMTP & POP3 servers I list) then read the firewall rules, blocking all other traffic.Not a chance I'd ever go into all of my thousands of programs and put a block all rule in them all !! An example: I have an issue with embedded gif files, CID,and otherspam techniquesnotifying spam senders I've looked at their messages, along with many other things. ((((Yes I'm blocking Outlook from accessing HTML, etc.. I'm aware of viewing email messages in plain text, but word defaults to html if I try to open it (to send it to missedspam@myisp.net), previewopens in HTML aswell. I don't let Outlook access "Use other programs to access the internet" (under Program Options, Security) and even turn off program interaction sometimes (but that sure screws up editing in Word... reading .pdf files, etc..). I know there is a patch from Microsoft for some of this and I don't want to go down the route for this discussion thread.)))) I think I should be able to only allow a specific program to only the ports and IPs I want to and still block all other traffic from anywhere after.Simply put, I only want to allow Outlook to access my SMTP and POP3 servers, but nothing else on the internet. Can I do that with ZAP???? I don't think the Access (Trusted/Internet) or Server (Trusted/Internet) in the program control section gives me that much control so I believe I have to use expert rules.In some of the posts I've seen the moderator or guru say they are emailing Zonealarm tech support (or Checkpoint), is this possible.Can you or anyone suggest a whole other way to accomplish this? Please bear in mind, Outlook is just an example, I have other programs I want tight controls on. By the way I've got the security levels on the highest level in all areas of ZAP and IE, and have no "Trusted Zone". If there was an option to specify a single program as the source (instead of my computer) I'd simply put only Outlook in the trusted zone. (even though I would not be able to allow other programs into the trusted zone as they then would share permissions that Outlook was granted)In other firewall programs there isn't a separate firewall and program set of rules. There is something like another option in the "Firewall expert rules" that allows you to select ANY program or select a program (exe file) that can have that access.ANY IDEAS? Are my questions above correct?

  4. #4
    billc Guest

    Default Re: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    Let me see if I understand what you want to do which I believe you can. The Expert rules should take priority over the Program rules and be applied. To set program rules, you go to the Program Control > Program list, right click on the program, select 'options' then click on the Expert rule tab. There you can specifically name the IP or IP's to which a program has 'access', the protocol, etc. Once set, that rule should apply first and only to the program for which you set the rule.

    In your example, you could allow Outlook access only to your mail server Ip's by using Program Expert rules. You could do the same for other programs as you chose. Then in your Program list, just block all programs you wish to not have access at anytime to any IP. Is this helpful? Oh, you can indeed contact Zone Labs Technical Support .

  5. #5
    tjmachineman Guest

    Default Re: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    Thanks for the link to tech support! I looked on the web site but got some dead end links (i.e. live chat, etc). Been there done that fora while nowon your suggestion (allow some IP's etc. then block all on that specific program expert rule). As I state earlier, I litterally have probably 1000 programs I run, and would never take on the hassle of a block all rule for every one. You missed the biggest point, a Block all rule in the firewall expert rules, but I don't think I received a confirmation from anyone to what I believe is true, that once a block all on the firewall expert rules is matched, itdoesn't even look at the program rules ((testing seems to confirm, however I'm going to go through hovers clean install again to ensure there isn't some old program **bleep** out there (due to viewing the logs and finding Outlook accesses that shouldn't be there even with the program block all rule)). And, I sure don't see how I could mess with the 12 Outlook Components to accomplish what should be an easy task. FYI, I'm not too worried about incoming traffic to much as I'm running dual Network Address Translation (192.x.x.x to a 10.x.x.x) on 2 different routers (one of them even set up with PAT (Port Address Translation)), with firewalls on both, behind the cable modem.By biggest wish list for future versions. In the Firewall expert rules under "Source" you can select zones, IP's, hosts, groups, subnets, gateways, etc.. all they would have to do is add "Programs" with a browse button look up to "my computer" and then allow the user to put in the .exe filelike so many others. (which would actually probably require a program redesign) Then put a block all rule at the end and your done. If the user still wants to use all the other program options including program expert rules that's fine.I'll give tech support a try...I'm still open to any other suggestions..?

  6. #6
    billc Guest

    Default Re: Firewall expert "Block all" rule blocks access before reading any Program expert rules?

    I had a thought. You could reset your database (thus clearing all program permissions) and then go to your Program Control > Main panel, click on the 'Advanced' button, then select the 'Always Block' option in both Access and Server. Then you can selectively unblock those programs you want and add an Expert rule. Would that work for what you're trying to do?

  7. #7
    tjmachineman Guest

    Default MY 8 KEY GUIDLINES Firewall expert "Block all" rule blocks access before reading any Program rules?



    Here is my take on it maybe this will help someone else.
    I'll use FWR for Firewall Wall expert Rules & FW for FireWall (location: firewall tab on the left) and PR for Program expert Rule & PC for Program Control (location: program control, right click desired program, options).I'm leaving zones rules out of this.

    1.NEVER use Block allin the FW, since ZA reads FWR's first, no PR will ever be seen &ALL programs will be blocked that are not specifically given access in the FW rule. And the only way you'll ever know that, is if your program is supposed to retrieve info off the web & doesn't, or you like to study the logs for blocked access (if you have your logs setup to log those specific events).

    2. NEVER put a block all PR by itself in PC. Even if you put that programs allow rulein the FW. The block all PR will override the FWR allow rule.

    3. Blocking rules: ZA help states that a matched blocked rule in either place (FW or PC) blocks the traffic.
    "Expert rules and Zone rules together are enforced in tandem with Program permissions, if either your program permissions or Zone rules/expert firewall rules determine that traffic should be blocked, it is blocked"

    4. Don't use allow rules at all if you don't use a block all rule at the end & since you should never use a block all rule in the FW, don't put allow rules in the FW --- only use allow PR's with a block all at the end.The only exception I can think of is if you want to allow only specific ports to an IP, and then block all ports to that IP globally. But why do that? Make the allow rule a PRand use a block all at the end to accomplish the same thing, easier and more robust as the block all will not only block the rest of the ports to that IP, it will also block the rest of the traffic you don't want either.

    5. You can put yourallow program rules inEITHERplace (FW or PC) for general use or programs, they allow the same. However, allowrules put inFW for programs, allow that same access to any other or potentially harmful script. (((EX: a hackersICMP/Ping response, if you allowedICMP/Ping for the intended for DOS program use in your FW, everything else will be able to ICMP/Ping also))) BUT THEY ARE NOT NEEDEDin the FW (or the PC without a block all) as ZA automaticallysets access to allow everything the program needs to run. So, just allow itwith a PR in PC for the DOS program, along with anything else you want, then put a block all rule.

    6. Redundancy REQUIRED with a block all PR's. (If you insist on using FW allows) No matter what isallowed in the FW rules, you have to put all the allows you need/want in the PR's AGAIN if you use a block all PR. (But remember - don't put allow rules in the FW)

    7. Don't use rules to block a program,just make sure it has all red X's in PC.

    8. A red X all the way across in PC overrides everything (all rules) and denies access.

    Please advise ifsomeone feels I'mnot accurate on one of these.

    Bill, Re:Advanced Program settingsalways deny suggestion. That's kind of what I've done, but to play devils advocate to my previous position, it is nice to get a prompt (using question marks) to allow new programs to run especially if they have multiple executing files and you only list one of them in the rules, or allow only the executable you know of from that program. Can't have everything... An issue arises with the question marks however, when my better half sits down at the computer (complaining about how her work computer never has this much of a problem going to web sites, etc...) and sees these little popups requesting permission, and of course she and others always select "allow". What gets me is some alerts default to "remember my decision" and even I have missed unchecking the box a few times.

    Is there a way to have the alerts default to not allow? Perhaps a Smart Defense setting? I haven't tested it yet.....

    On a different note, I received an alert that pa2.zonelabs.com was blocked, ZA had resolved the IP to 208.254.0.7, but a reverse DNS, Sam Spade& showmyip.com resolved itto UUNET, BP Amoco?? Possible DNS spoofing?

    Merry Christmas

  8. #8
    billc Guest

    Default Re: MY 8 KEY GUIDLINES Firewall expert "Block all" rule blocks access before reading any Program rul

    First, you might find Hoov's post on ZA servers to be informative as to what ZA is doing. I too looked at the 208.254.0.7 IP and got Amoco too. If you got the IP right, I can't tell you. But I did ping pa2.zonelabs.com and got this IP: 63.208.157.167. So I'm not of much help, huh?

    Sorry but I don't know a way of getting a program alert and then let it default to deny.

  9. #9
    tjmachineman Guest

    Default Re: MY 8 KEY GUIDLINES Firewall expert "Block all" rule blocks access before reading any Program rul



    Ha! Did that yesterday, Hoov's post came in handy! I received the alert, wondered what pa2.zonelabs.com was, did a Sam Spade, nslookup, and check on showmyip.com, on the IP the alert showed & all of them showed BP Amoco, so I went back into this forum, did a search to find out, saw Hoov's post, but still wondered why BP Amoco.So then I used all of the above tools to look up by name and none of them resolved to that IP... I've been messing with different DNS servers with better ping times (1/2 the time of my default) and wouldn't be surprised if one of the local Universities didn't have some screwed up DNS info that ZA got.

    Actually these logs are driving me nuts with many issues!!

    -It's still randomly blocking perfectly good outlook smtp port25 at random no matter what order I've got the DNS & SMTP/POP3 rules in. (FORGOT UDP in the rule)

    -I'm still having trouble getting used toall the different akamai.net IP's IE hits, load balancing for large web sites I guess.

    -AND, every time the autolock kicks in I get massive hits by svchost.exe going to 239.255.255.250. Counts of 59, 180, 300, 300, 300, 299 attempts in an hour. Haven't figured that one out yet... try to resolve that one.... IANA specialuse block? 239/8 IANA - Multicast, gotta figure that one out.. Under Firewall, Internet Zone Security, Custom, Internet zone the only thing checked is "Allow broadcast/multicast" which is what you get if you have theInternet zone security to high.But why is stuff going there?

    More background... I'm running dual NATs/router firewalls (I get NO incoming ZA firewall alerts..., I can't believeI ever lived without hardware NAT), ZAP (latest ver), Norton Sys works, spybot, spyware blaster, watchdog, BHODemon with everything on the highest security, including IE & ZA, I run "CleanUp!" (awesome junk file cleaner that blows ZA's cache cleaner off this earth), etc.. and I'm STILL getting this **bleep**. (Yes I've got all autoupdates on ALL programs including ZA turned off as well as XP Pro but do manual updates regularly, so I don't have to wonder whether traffic is from an autoupdate somewhere).


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •