Zone Alarm expert rules

[well...]

Does anyone know how to set up one of these?

What i want to be able to do is to allow local computers and printers to be able to share files but not leave myself and files! open to the intrusion from the internet.

I dont know how to do this because both internet and local connections come from one source (the router) Can i do some kind of ip range filtering using a zone alarm expert rule or otherwise?

Thanks!

[tazzeh]

If you are using static IP's instead of DHCP, then you should be able to add the local IPs to your trusted area. Don't see much more than you can do, but I could be wrong.

[well...]

Damn, im using DHCP is there any other way?

Thanks anyway though!

[tazzeh]

To set Static IPs:

-on the router - Disable DHCP.

-on the desktops - Go to your Local Area Network settings, and in the TCP/IP options, uncheck the 'Obtain IP Address Automatically and set the following:

IP Address: 192.168.2.x (NOT .1 as that'll most likely be the router's IP)

Subnet Mask: 255.255.255.0

Default Gateway: (the router's IP - 192.168.2.1)

Preferred DNS Server: 192.168.2.1

Alternative DNS: Leave blank

Give each computer a different IP or you'll have issues!

Don't know about networked printers as i've never really done them myself.

[+BudMan MVC]

Um -- your behind a NAT router.. How is it that you think your files are open to the public net?? Did you put your machine into the DMZ of the router? Have you forwarded file sharing ports to your machine? Or any ports for that matter?

You do understand that your router only allows unrequested inbound traffic -- when you have specifically forwarded the traffic.. Have you done this? If not then nothing from the internet is going to get to your machine - unless its in answer to something your machine has requested, ie neowin website, etc.

Not sure WTF setting your machine to static has to do with adding an IP range to your trusted zone in ZA either?? All of your dhcp machines would get IPs in from the dhcp scope.. say 100-150.. Add this range of IPs to your zone.

Only if you wanted to allow specific machines by IP would you need to worry about setting statics or reservations.. For that matter just do it by MAC on the ZA rules if you want to limit access to your machine to specific machines on your local network.

[tazzeh]

Ooh, never realised that ZA could add trusted zones by MAC addresses. In any case, then thats probably the easiest option :D

I'm not a ZA user, so i couldn't tell what features it uses.

[+BudMan MVC]

Ooh, never realised that ZA could add trusted zones by MAC addresses.

Not sure if it does?? But wouldn't any "firewall" worth using be able to block or allow by mac? IPtables does - this is FREE.. So even this Pay version of this so called great firewall does not?? Hmmmm, just looked at the manual, an I can not find the ability to either block or allow based on mac? WTF?? Why does everyone think this is such a good product? Can not even do a simple allow or deny based on mac?

But the point of my post, was not that he should do that anyway.. What has me curious is why he thinks he needs to white list his local lan machines , but block his router for file sharing.. When unless he has forwarded or put his machine in the DMZ.. there would be no file sharing traffic coming from the internet..

And either way - even though it goes thru the router, if he opened it.. The IP address of the inbound traffic would the Public IP, not the routers IP.

There is clearly some lack of understanding of how NAT works, how routing in general works, an what the router is doing to start with.. etc.. From a command line -- do a netstat -an What IPs does it show your connected to.. When you go to neowin, does it say your talking your routers IP or neowins public IP, etc.

Unless he needs/wants to block or allow on a per machine bases on his local lan, not sure why there is the question in the first place? He could allow the whole 192.168.x.x network in his trusted zone.. Then any machine on his private lan could access his machine.. Or he could just put in whatever the range of his routers dhcp scope is, etc..

Only if he wanted to allow or block specific machines on his local network would he have to worry about static IPs, etc.. Since his chosen firewall product does not support any type of mac filtering - from what I can tell.

But the impression I got from the post, is he wants to allow his local machines "all of them"?? To use file sharing an print sharing.. But not the internet, Static IPs have NOTHING to do with that..

I just think there is a lack of understanding of how NAT works is all..

[well...]

You do understand that your router only allows unrequested inbound traffic -- when you have specifically forwarded the traffic.. Have you done this? If not then nothing from the internet is going to get to your machine - unless its in answer to something your machine has requested, ie neowin website, etc.

Not sure WTF setting your machine to static has to do with adding an IP range to your trusted zone in ZA either?? All of your dhcp machines would get IPs in from the dhcp scope.. say 100-150.. Add this range of IPs to your zone.

Only if you wanted to allow specific machines by IP would you need to worry about setting statics or reservations.. For that matter just do it by MAC on the ZA rules if you want to limit access to your machine to specific machines on your local network.

Thanks bud man i was hoping you'd see this thread!

this has cleared a lot of things up in my mind for me, I did not know (as a networking noob :blush: ) that the router functioned like that.

As i have not mucked around with DMZ or port sharing i can now just set the status of the network connection to trusted in

Zone Alarm and not be open to the whole wide world as i previously thought! Thank you very much, i can now start my abitious

(well in my eyes :D ) media streaming project!

Edit:

There is clearly some lack of understanding of how NAT works, how routing in general works, an what the router is doing to start with

Yup :blush:

btw your avatar should read: Network extraodinaire!

[Bgnn32]

um you missed a lot of the point in BudMan's post.... Why do you even bother running Zone Alarm? you are behind a NAT router and no unrequested traffic will get from the internet to your computer simply because of how NAT works.

[well...]

I run Zonalarm as i use it for antivirus and program control (zone alarm uses the kaspersky engine) the firewall is a bonus.

[Bgnn32]

bonus? Some bonus unneeded software running making life harder when setting up your network and consuming system resources.

Real good bonus you got there.

[+BudMan MVC]

bonus? Some bonus unneeded software running making life harder when setting up your network and consuming system resources.

:laugh: heheheh I would agree "bonus"???

Wonder if you can turn off the firewall portion? And just use the virus scanning? Anyway - there has been enough threads about running firewalls behind a nat routers on a private lan, etc.. Is been done to DEATH!! I sure an the hell don't want to get that going again -- people are going to do what they are going to do.. :rolleyes:

If he was wanting to block some of the machines, or just allow some or there were machines not under his control, etc.. - then there would be a use.. Or as he has said -- if he uses it to control programs outbound access, then he has a use for it.. I just do not get the point of blocking access to the network of programs that your clearly running on purpose?? The only use for this to me seems to be circumvention of something the program is doing - licensing, etc.., or tinfoil hat syndrome for what the program might phone home with.

But your statement pretty much sums it up my view on the subject as well ;)

[well...]

I did consider trying to turn off the firewall portion of the program but with it goes the program control which i find very usefull

[Krome]

I don't advised you run your server on DMZ and have DHCP turned on. Doing that is pretty much open your LAN to any attacks. This means you have to assigned your computer to use static IP. On top of that, you should disable your NetBIOS on your LAN.

But you can always do what BudMan suggested which is much more easier for any computer to hook to your internet and get the internet right away. Easy way but not as secured.

[+BudMan MVC]

But you can always do what BudMan suggested which is much more easier for any computer to hook to your internet and get the internet right away. Easy way but not as secured.

:blink: Huh?? What did I say that would be less secure??? To run dhcp?? Or to put his dhcp scope into his trusted zone -- since he wants to share with his local machines??

Who said anything about putting a machine into his DMZ?? He was asked if he had done this! Lets say he did have a machine in the dmz, wtf would that have to do with running dhcp on the same network opening up his whole lan to attack?

Your post makes no sense..

Please point out what I said that in any way what so ever would affect the security of his local lan!

As to turning off netbios on his local lan?? WHAT -- WTF do you think that accomplishes other than making it harder for him to access his own machines??

[Krome]

DHCP allows you to have scope for your network. Disable DHCP on your router would not allow you to configure scope. Disabling DHCP on your router are much more secure and hence, you have to use static IP.

I was not saying that you told him to put his computer on DMZ. I said that it's not advisable to do so because he mention DMZ and said "did not mucked" it or something. Was suggesting him not to go there.

You've mention he'll get "dhcp scope" from the IP range in the scope. This works nicely ofcourse but it's not very secure. I was only saying that DHCP are not very secure way to do LAN networking. I don't believe I mention anything that undermine your flaw in networking. I was suggesting a more secured way.

[Bgnn32]

Please explain how you figure disabling DHCP is more secure?

[+BudMan MVC]

Well shoot, I should bring this up at work. Maybe we should turn off dhcp across the enterprise - since its a more secure to be static. We will just turn off dhcp -- and setup static IPs for the 10's of thousands of devices across the globe. :rolleyes:

Mabye ISPs should just give out statics to all users -- since dhcp is not secure?

For real now -- how exactly do you feel this increases the security of his private lan by going to static vs using dhcp to hand out address to machines.. I second the question -- Please explain -- please point to some legit whitepapers that suggest this! So 802.11i states you should turn off dhcp to make your wireless network more secure?? ;)

What exactly do you feel it accomplishes other than more work for the person trying to manage the machines to his network.. Sure static is fine if you have a couple of machines, or you want a machine to always have the same one, say a server or for port forwarding reasons, etc. I have some static devices on my local home network.. But I also have dhcp running so I can easy add machine I need to work on - for the laptops, etc.

Going static on a fixed machine is one thing -- but on a laptop, now if he changes networks, school, work, starbucks, it just becomes more overhead trying to switch between these other networks - when he has setup his machine to be static. He either needs to switch between static and dchp, etc.. etc.. Please do explain how this extra overhead is justified by this added security of turning off dhcp.

If you are worried about machines getting IPs that are not authorized to do so - then turn on port security on your network, ie 802.1x

I find it unlikely someone will be coming into his house an plugging into his network directly -- So I assume you think turning it off makes his wireless access more secure.. Let me guess you've also got your ssid not broadcasting, an you believe mac filtering is a means of stoping hackers vs just access control? ;)

http://blogs.zdnet.com/Ou/index.php?p=43

The six dumbest ways to secure a wireless LAN

#4

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn't know what they're talking about.