Past EED rants

Labels

Live leaderboard

Poker leaderboard

Voice of EED

Monday 23 June 2003

Software firewalls [lurks]

When I was on cable, I basically put 'Wench' in the DMZ of of a Netgear RP114 router. I had rules defined on the RP114 to block a number of ports. Now I'm looking for a more flexible and easier to maintain solution to use with my upcoming DSL replacement.
Basically I don't want to have to keep up on dodgy ports and plug in filters into the Netgear, I want to run a software firewall on Wench. Again it will remain in the DMZ of a Netgear router, this time the DG814 ADSl router.
Now, there's loads of these things about. I've just had a play with Zone Alarm and managed to get things to a state I'm happy with. The problem, however, is this. When Zone Alarm runs, it appears to disable all current servers access to whatever is defined as the Internet (right now, a dial-up connection). That means I have to manually shut down some servers (mail, ftp, web, auth etc) and re-run them for ZA to decide that they are trusted and grant access.
This is pretty naff really. Means if the box crashes and reboots when I'm not here, everything is fucked. Also can't work out how to make ZA properly minimize to the tray - it seems to insist on having a window open. All in all, looks like a good package for the price (free!) but it doesn't seem very industrial, so's to speak.
Anyone got any experience of doing this sort of thing with other software firewalls they'd care to share?

14 comments:

  1. I use Sygate Personal Firewall, works fine for me, and remembers the settings (if you want) for any application, so you can let it through once and thereafter it will still work after a reboot.

    ReplyDelete
  2. Resolved some of the issues with ZA so far. My question is, if Wench is 192.168.0.2 on my LAN and the router is 192.168.0.1 - will it suffice to tell ZA that the 'Internet' zone is 192.168.0.1? I'm not entirely sure that's going to work.Psycho, that strikes me as par for the course with all personal firewalls surely? Sygate, isn't that free? Might be worth a look.

    ReplyDelete
  3. Not sure what your problem is with restarting currently running servers - you can give applications permanent permission in ZA (programs tab) so this shouldn't be an issue after the first time.Permawindow - Just close the window to get rid of it. ZA remains active in the systray.AFAIK ZA treats all tcp traffic as 'internet zone' if it isn't defined as 'local zone' which can be checked/edited in security settings.

    ReplyDelete
  4. This is a server, right. I don't want to have to kill all the server tasks and rerun them just to get Zone Alarm to give them access to the Net. That's what the problem is. Obviously I've worked out the 'programs tab' stuff, it's not exactly rocket science. In fact, ZA is more like play dough from what I've seen so far. If all traffic is Internet zone if it's not from a local (it calls this, trusted) then it should work nicely without me doing a thing. Just going to have a bash at Sygate now and see what that's like.Had a quick look at Sygate. I prefer the program remembering stuff over ZA but I can't see to find anything in it that allows you to tell it a range of trusted IPs (the LAN). Went back to ZA for a monkey, confirmed my big issue with it. Things that load up first like Xitami, Mdaemon and my FTP server... all of these are busted right off the Net by ZA when it starts up. I need to manually kill and restart those to get them on the Net. That's fucking shit, quite frankly. So I'll probably uninstall ZA, try Sygate again and if that works properly stick with that.

    ReplyDelete
  5. You using ZAPro? - I'm running that on my DMZ machine outside the DG814, ands it installs as a service and protects my mailserver, web, ftp etc for access to my work domain only. They all boot together no probs...

    ReplyDelete
  6. I've never tried Sygate with server style shit, but it is free, which works for me. Plus I prefer the more subdued colour scheme to ZA garish yellow etc. Erm, trusted IP,s hang on.
    Ok a quote from the help file :You can configure advanced security settings for each application on your application list by setting certain restrictions on which IPs and Ports an application can utilize.
    Not sure if that will do for you, but thats what its got.

    ReplyDelete
  7. ZA is a bit gaudy for sure. It's free also though, at least the standard one. Everyone is swearing by the pro version so I'm going to check that out. Regular ZA still has the serious issue of disabling all servers when it runs and it just doesn't work with ICS at all (a very short term problem for me).Sygate on the other hand, seemed to request net access for every poxy little Windows component going and still wouldn't let ICS work. So that's not high on my score card list right now, in fact it's uninstalled. ZA Pro will be tested tomorrow.Despite numerous clannies telling me the (well documented) problem doesn't exist, just enforcing the ZA 'True Vector' service as a dependancy on the server services such as Mdaemon and Xitami did indeed fix the problem. I've warmed to ZA Pro considerably now, the fact it actually works with ICS in the mean time is the icing on the cake.

    ReplyDelete
  8. So, being booted off Telewest for abuse and a sudden facination with software firewalls. Are these two events connected in any way? :)

    ReplyDelete
  9. Erm, if the fact I'm booted of Telewest and have to change router hardware is connected - then yes. Oddly enough there is not and never has been an open proxy on my system and ZA has turned up absolutely zero surprises. Thanks for the vote of confidence.

    ReplyDelete
  10. Running Norton here, I had to fiddle with it less than ZA when I tried that.

    ReplyDelete
  11. Despite advocating Zone Alarm, I was actually still on version 2. something, and I see it's on version 4. So I upgraded, and instantly had similar problems. Well I can't be arsed with service dependancies, what if something installs itself? Fuck that. So on the reccomendation of someone onna local forum, I went for Kerio Personal Firewall (http://www.kerio.com). It's very nice. A fair bit more teccie than ZA, you get no red buttons and graphs and stuff. What you get when you fire it up is exactly what I want to see - a list services that have ports listening or connected with the traffic info assigned to it. In use it's quite similar to zone alarm, but a little more flexible: you get a popup that something wants to access the internet, do you want to permit or deny it, and if you permit it, you've the option to set up a rule. The part I like over zone alarm is that this works both ways, that if something requests access coming in, you can set up a rule too, which is han!dy. It also knows when the machines running ics, so all that stuff happens too. Pleased with it so far, I'll report here if it fucks anything up.

    Oh, one thing I notice it does, is when you allow a rule, it opens the port to that process only. So you want to accept port 80 stuff for www, you allow port 80 to your webserver software, which is pretty neat. I can't find how to open a port completely though, which is a bit of a pain in the tits, or open a port without actually making the request.

    ReplyDelete
  12. Opening ports for an application is what ZA does. What I don't like about ZA is that it doesn't tell you the ports involved unless they're on the little toolbar on the top of the GUI settings thing, but that only ever displays a couple for some reason. I would actually like to only open ports up for certain apps but I'd also like to deny a port for a particular app - for example Maildaemon refuses to start up with some services disabled, you have to do it by hand every boot. I'd rather just block the relevant ports and let it open them and bother me no more.
    I did look at that Kerio thing actually and it was pretty nuts and bolts exposed but that's exactly the sort of shit I prefer. Looked good. Right now though, I've got ZA Pro working after farting about with the dependancies. I'm not inclined to replace it unless it fucks me around.

    ReplyDelete
  13. Old blogs. Don't they just rock. Anway, recently got hacked off with ZA Pro, due the lack of an ability to specify port access. I'm currently testing/debugging a reasonably comms heavy app for my course, and thus need a bit more flexibility than ZA has to offer. However, living in studentdom, I don't want to be leaving the network inteface unguarded, so I had a look at the Windows Firewall that was added in the last service pack. Surprise of surprises, it's actually pretty fucking leet. It blocks everyone bar browsers/email/instant messaging apps by default. To allow comms through, you can either declare an exception on an app, in which case Windows will allow traffic through to that process on any ports it happens to be listening on, or you can give it specific TCP/UDP ports to listen on. The only downside is the inability to specify port ranges, but it's minor, all things considered. Microsoft in "security shit that works" shocker.

    ReplyDelete
  14. Must have changed since 2003 :) in ZA, it's buried a bit:Program Control->Programs->(the one you want)->Options->Expert Rules->Add

    ReplyDelete