Results 1 to 8 of 8

Thread: localhost loopback network is part of the internet

  1. #1
    dorianmuthig Guest

    Default localhost loopback network is part of the internet

    I have a program that runs as a service and a client that connects to that service to control it. The client accesses the service using the local loppback adapter at 127.0.0.0 and ZoneAlarm says the program wants to connect to the internet. The loopback adapter is part of the local network.
    I would rather not allow "the internet" to access either the service or have the client access "the internet" because 127.0.0.1 is treated as an internet address.
    ZoneAlarm should always treat the following address ranges as local by default, they're never internet addresses:

    192.168.0.0
    10.0.0.0
    127.0.0.0
    Whichever network mask the network adapter is set to

    I'm not yet that much familiar with IPv6 and I haven't tested that one, but ::1 should also be part of the local network, if it isn't.

    Also, the local IP and the loopback addresses should always be part of the trusted zone, I've never heard of 127.0.0.1 or ::1 to lead to another machine, unless a forwarding service is running at the particular port (which would need to be granted trusted and/or internet access first).

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: localhost loopback network is part of the internet

    Hi!

    I am not sure I understand your problem. Those addresses mentioned (192.xx, 10.xx, 127.xx) are never reachable from the outside and they are usually assigned to your LAN depending on your configuration.

    Contrary to many solutions out there ZA does differentiate between localhost/trusted/Internet giving you the option to set it at your wish. You will define what is trusted and what is internet. Normally at install ZA automatically add your PC IP (127.0.0.1) to the trusted zone. The definition of "local" as you define it is not a necessary or considered variable linked to the functioning of ZA. ZA is designed with trusted and internet zones.

    If you receive a warning about a program wanting to access the internet zone you have, most likely, not assigned to that address or block of addresses the status as TRUSTED, otherwise it should have said that the program is trying to access to your trusted zone (i.e. trusting a single IP does not entail the trusting of all the IPs in that block).

    Not sure this is answering you question. If not, feel free to contact the ZA technical support. They may be able to better explain it to you.

    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    dorianmuthig Guest

    Default Re: localhost loopback network is part of the internet

    Quote Originally Posted by fax View Post
    I am not sure I understand your problem. Those addresses mentioned (192.xx, 10.xx, 127.xx) are never reachable from the outside and they are usually assigned to your LAN depending on your configuration.
    They would be reachable on the local network, say in a coffee shop, if I were to click "allow" when asked, just like most users would, or the application wouldn't work if I clicked "deny".

    Quote Originally Posted by fax View Post
    Normally at install ZA automatically add your PC IP (127.0.0.1) to the trusted zone. The definition of "local" as you define it is not a necessary or considered variable linked to the functioning of ZA. ZA is designed with trusted and internet zones.
    I just installed it on a newly set up machine, and it doesn't do that. It asks, if the connected network is part of the trusted zone or not. The loopback adapter is not included into the trusted zone by default. It however should. Including IPv6 addresses, hosts or ranges isn't possible.

    Quote Originally Posted by fax View Post
    If you receive a warning about a program wanting to access the internet zone you have, most likely, not assigned to that address or block of addresses the status as TRUSTED, otherwise it should have said that the program is trying to access to your trusted zone (i.e. trusting a single IP does not entail the trusting of all the IPs in that block).
    I'm completely aware of the manual configuration part, it's just that treating IP adresses that can never be internet addresses as such shouldn't even be possible, since it could lead users that aren't aware of the fact that by allowing internet access via the buttons in the popup dialog they are allowing everything and not just access to that local IP, for which the firewall thinks is on the internet. There are trusted address ranges, untrusted internet adresses and untrusted local addresses. Trusting the internet also trusts the local network.

    This isn't particularly a support issue, it's something that should be fixed with the next version of the software, because this flaw can easily lead inexperienced users to misconfigure the firewall.
    Last edited by dorianmuthig; November 26th, 2010 at 04:12 AM.

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: localhost loopback network is part of the internet

    Quote Originally Posted by dorianmuthig View Post
    They would be reachable on the local network, say in a coffee shop, if I were to click "allow" when asked, just like most users would, or the application wouldn't work if I clicked "deny".
    Yes, correct. I think it may help you could think about the ZA Internet zone as "UNtrusted". This may simplify your confusion on Internet, local, etc...

    Quote Originally Posted by dorianmuthig View Post
    I just installed it on a newly set up machine, and it doesn't do that. It asks, if the connected network is part of the trusted zone or not. The loopback adapter is not included into the trusted zone by default. It however should. Including IPv6 addresses, hosts or ranges isn't possible.
    Yes, normal. At every new clean install you will get a pop-up to ask you where to place the network you are connecting to. If you trust the network then you choose TRUSTED if not Internet. In the case of the coffee shop you will allocate it to the internet (=UNtrusted). You may want to look for the on-line instruction where this is explained clearly. Also the pop-up gives some explanations.

    Yes, 127.0.0.1 is normally added to the trusted zone. Don't know why is not in yours.

    Quote Originally Posted by dorianmuthig View Post
    it's just that treating IP adresses that can never be internet addresses as such shouldn't even be possible
    This is because you mix ZA "Internet zone" with Internet. Think instead about trusted and UNtrusted locations. These addresses can never be internet but they can be trusted or untrusted. Also you are mixing up network access trusting/untrusting with program having access to certain IPs. Allowing the X program to access the internet zone (untrusted) does not mean the internet can access your system.

    Quote Originally Posted by dorianmuthig View Post
    This isn't particularly a support issue, it's something that should be fixed with the next version of the software, because this flaw can easily lead inexperienced users to misconfigure the firewall.
    I am afraid I fail to see anything to fix and you don't need to convince me about it . But if you think so you should direct yourself to ZA technical support and report it. We are all users here.

    Thanks,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    dorianmuthig Guest

    Default Re: localhost loopback network is part of the internet

    You don't see anything to fix? Seriously?

    It's simple: A newly installed ZA only includes the local network of the network adapters in the system into the trusted zone, after you select this in the window that says a new network has been detected. This could be 192.168.101.0 with subnet 255.255.255.0.

    A client program tries to access the locally installed service at 127.0.0.1:random but fixed port.

    A notification popup shows asking if you want to allow application to access the internet.

    If you select no (deny) your application won't work.
    If you select yes (allow) your application is allowed to access the internet (all adresses) and if that application was a server application, you are now vulnerable to attackers on an open wifi network, should you choose to use one later, because the application was allowed internet access (which overrides the untrused network zone), even though this was not required. An inexperienced user may not be aware of this.

    Again, ZA should not allow inexperienced users to grant internet access for accessing non-internet IP ranges, but instead add the ranges to the trusted zone on demand.

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: localhost loopback network is part of the internet

    Last try.... Again you don't have to convince me. You need to report to ZA staff if you think there is a problem.

    ZA does not by default allocate the network to the trusted zone (your 192.168.../255...). Notification should appear for 127.0.0.1 as trusted not internet (bad configuration). Allowing 127.0.0.1 does not allow all addresses, moreover the application must have server rights to the internet to do that.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    dorianmuthig Guest

    Default Re: localhost loopback network is part of the internet

    Quote Originally Posted by fax View Post
    ZA does not by default allocate the network to the trusted zone (your 192.168.../255...).
    Yes, I know, it asks and that's ok that way.
    Quote Originally Posted by fax View Post
    Notification should appear for 127.0.0.1 as trusted not internet (bad configuration).
    As said, it doesn't. It only asks for the local network you're connected to. And even though, I rememeber it doing that for different wifi networks as well, (like 7 years ago) it doesn't do that anymore, either.
    Quote Originally Posted by fax View Post
    Allowing 127.0.0.1 does not allow all addresses, moreover the application must have server rights to the internet to do that.
    But that's what it does, by default. This is bad.

  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: localhost loopback network is part of the internet

    Hi!

    I am afraid but we are talking but not communicating... what you are reporting is unclear and unsubstanciated. But no use to insist here better to follow up directly to ZA technical support, they may be able to help you.

    Thanks,
    Fax
    Last edited by fax; November 26th, 2010 at 05:21 AM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. File copy over network freezes part way through
    By mikeslogin in forum Access Issues
    Replies: 5
    Last Post: November 29th, 2008, 10:22 AM
  2. Svchost: Internet request from loopback???
    By drsnafu in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 16
    Last Post: September 16th, 2008, 03:35 PM
  3. Replies: 1
    Last Post: December 30th, 2007, 08:32 AM
  4. Replies: 0
    Last Post: October 7th, 2007, 04:21 AM
  5. Internet Explorer and Loopback
    By webdaddy in forum ZoneAlarm Configuration
    Replies: 5
    Last Post: September 17th, 2007, 03:26 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •