Re: Software/Hardware firewall interaction?



Good question. The answer is that the log records will be identified
with the router's LAN IP address (probably 192.168.1.1). By contrast,
packets arriving from the Internet will be identified with the remote
IP addresses from which they originated. Although they pass through
the router, they don't originate within the router, and packet header
information distinguishes them from each other as well as from log
records.

All of those addresses are in the packet headers, and are passed along
to your computer, along with the information in their packets.

If a malicious remote site "spoofs" (falsifies) the address in the
header so that it appears to be "192.168.1.1", the router's defences
catch that, drop the packet, and create a log entry to report the
blocked intrusion attempt. So, if the router's working properly (and
it is), all packets that reach your computer claiming to have
originated at "192.168.1.1" really did originate there.

When the software firewall on your LAN computer examines the packets,
it looks at several things in their headers, including the originating
addresses. If you placed "192.168.1.1" in the Trusted Zone, the
firewall will allow those packets to pass. If a packet has an IP
address that is not in the Trusted Zone, the packet will be blocked
unless other information in its headers shows that it's a reply to a
previous request made by an application on your computer (such as your
browser or email program).

A logging program such as WallWatcher does not request log records from
a router, it just passively waits for them to arrive. That means those
log records are not replies, and that's why the router's LAN address
has to be placed in the Trusted zone: otherwise, the software firewall
will block them. (There are other ways to give permission, but the
"zone" analogy is appropriate for ZoneAlarm.) The first time
WallWatcher runs and a log record arrives at your computer, Zone Alarm
will ask you whether WW should be allowed to receive that unsolicited
log record. Unless you say "allow", WW will never be able to log
anything.

Telling ZoneAlarm to always allow that kind of event does not grant
WallWatcher other Internet privileges; all you've authorized is to let
WW receive those log records from the router's LAN IP address.

Now, if you've asked WallWatcher to "Convert IP addresses to names" (on
its LOGGING menu), WW will have to ask your ISP's DNS server to do the
actual lookup, and will have to receive a reply to that request. In
that situation, WW is originating Internet traffic, and Zone Alarm will
ask you a second question: should this application be allowed to send
things out to the Internet.

If you want to use the "Convert" option, the answer should be "always
allow", but you can restrict what ZoneAlarm will allow WW to do: WW
only needs to use port 53 to do DNS lookups, and only has to
communicate with your ISP's DNS servers. It doesn't need permission to
communicate with any other remote address, nor to use any other ports.
By placing such limits, you can be sure WW will not be able to perform
communications you don't think it should be allowed to make, and you
will be able to use ZoneAlarm's own event logs to verify that WW isn't
trying to make other contacts.

(There's a possible exception to that last limit: if you want to use
WW's "Check for updates" option on the HELP menu, you'll have to tell
your software firewall to let WW communicate with its website and
retrieve a small file that contains the current version information.
If you don't want to allow that, you can just browse to the website
occasionally and see what's current.)

A rather long answer to a short question.

-Dan Tseng, WallWatcher author

===============

galt_57@xxxxxxxxxxx wrote:
How can router log messages get to a monitor program like Wallwatcher
without needing to put
the router IP into the software firewall's "trusted zone" which I would
think would have the effect of disabling the software firewall? I have
a Linksys BEFSX41 and free Zonealarm.

.