Results 1 to 3 of 3

Thread: http://support.microsoft.com/kb/316414 This 2007-dated kb...

  1. #1
    zaswing Guest

    Default http://support.microsoft.com/kb/316414 This 2007-dated kb...

    http://support.microsoft.com/kb/316414

    This 2007-dated kb item says to kill ZA if you use ICS and try to ping devices on your own, internal network. What if the same error occurs but THERE IS NO ICS of any kind? Just trying to ping things fails for me. Are they kidding or is this for real? Za Pro 5.5.

    Message Edited by zasuiteuser on 08-08-2008 08:25 PM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: http://support.microsoft.com/kb/316414 This 2007-dated kb...

    In order for the usual pings (icmp type 8 request and icmp type 0 reply) to take place, to the local area network or to any network, these must be enabled or to be allowed to use ICMP (Any) in the Application Experts:

    cmd.exe
    ping.exe
    svchost.exe
    explorer.exe
    userinit.exe
    winlogon.exe
    services.exe
    (did I miss any items?)

    (in addition to consider these as well, although not neccessarily needed)
    lsass.exe
    rundll32.exe
    csrss.exe
    lsass.exe
    mmc.exe
    smss.exe

    For internal icmp pings (the strictly internal localhost address and not any external connecions), this is needed:
    Either the Loopback address (127.0.0.1) is Trusted in the Zones OR an Expert rule in the Firewall with loopback Source and loopback and zero octet (0.0.0.0)Destination with Any TCP & UDP and ICMP allowed. But the Application expert must be still used or use the ZA default auto configuration.

    <hr>

    Consider that the individual programs in the application expert can be controlled for the icmp. Not just the items listed above, but also for the internet applications such as updaters, browsers, IMs, etc.

    <hr>

    For external ICMP pings this is generally needed:
    The Expert Rules of the Firewall should allow for the ICMP type 8 "Request" outgoing to Any Destination and My Computer Source.
    This should be followed by another Expert rule in the Firewall for the ICMP type 0 "Reply" to My computer Destination and Any Source.
    This would be a general rules set and would work for anywhere or any place.
    This approach would allow outgoing pings and recieve the reply, but still drop unwanted incoming pings.

    This can be further enhanced or tightened up/tweaked by splitting the pings into the two usual zones or two seperate sets:

    1). One set for the trusted zone or a defined/specific range such as the local area network. And for some users with dialup/dsl modem with no nat,including the usual dhcp and dns servers of the provider's network.

    2). Another set specific for the internet or internet zone. (this assumes there is no host server or sharing of any kind).


    Rule set idea for the 1). types:

    Allow both directions (incoming and outgoing) of both the Request (8) and the Reply (0) for the Source and the Destination of both My Computer and the Trusted Zone (or a predefined range such as 192.168.0.0 to 192.168.255.255 for an example). And of course adding in the dns and dhcp servers for the provider for dialup/non nat dsl modems.
    This allows for both incoming and outgoing pings and the replies. Pings allowed both incoming and outgoing for a LAN and by certain providers for dialup/certain dsl users.

    Rule set idea for the 2). types:

    Similar to the general rule that was first suggested in the beginning of the post, but change the Any to Internet;
    The Expert Rules of the Firewall should now allow for the ICMP type 8 "Request" outgoing to Internet Destination and My Computer Source.
    This should be followed by another Expert rule in the Firewall for the ICMP type 0 "Reply" to My computer Destination and Internet Source.
    This approach would allow outgoing pings and receive the reply, but still drop unwanted incoming pings from the Internet- some stealth and privacy/protection is provided. (even though this does break the usual practises of the internet).

    <hr>

    ICMP type 11 or Time Exceeded is generally allowed just outgoing. Used for the tracert (tracert.exe should be in the ZA Program list too or manually added). Also for internet address is out of reach -
    Again in some instances this should be allowed incoming in instances such as for some providers of dialup/certain dsl users or for users with a host server/p2p useage.

    <hr>

    ICMP type 3 or Destination Unreachable is generally just for outgoing.
    Used with attempts of re-establishing a slow DNS connections or failed udp connections to the dns's server remote port 53.
    And for the message of the internet address is not available. Example - ping or tracert an unresponsive/off-line web server and the icmp answer is a destination unreachable or "not available at the moment and do not bother to try to talk to me again". In which case the incoming destination unreachable is needed.
    Incoming destination unreachable is needed also for p2p and host servers.

    <hr>
    Both the Time Exceeded and the Destination Unreachable can be customized to the needs.
    The advice is just general advice - situations such as a vpn or other specific networking additionally will usually require these to be allowed for both incoming and outgoing and for the specific ranges/IPs involved.

    <hr>

    What left?
    arp.exe and the ipconfig.exe to be added to the ZA program list.

    Oldsod

    Message Edited by Oldsod on 08-09-2008 12:25 AM
    Best regards.
    oldsod

  3. #3
    zaswing Guest

    Default Re: http://support.microsoft.com/kb/316414 This 2007-dated kb...

    It's all fixed now
    Thank you for this very comprehensive reply. More lesson than I ever expected and what a lesson it is
    I meet all your requirements (not all suggested applications, but that wasn't needed).

    Attribute my troubles to user error where I goofed big time
    (1) A network range which happen to include my router was blocked
    (2) When that got fixed, DNS resolutions failed, because I forgot that this computer I played with didn't have OpenDNS in the TCP/IP properties, all out of synch and beforehand, due to 1) pings were failing of course.

    Thanks again! Without ZA logs and your help I'd still be scratching my head

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •