Hi forum folks,
I have a ME machine on a modem ADSL router. The fw is ZA and it blocked a request for an outward connection 127.0.0.1 via port 1083. ZA-client 10.0.0.138 DNS refused. Then I lost contact for browser and mail client to the Internet, and had to reset the router manually to re-establish connection (middle led was orange-green blinking).
Anybody has a clue as what happened here? FW-specialist please explain?
polonus
Interesting this or similar has happened to someone with ZA Pro 4.5 http://forum.avast.com/index.php?topic=22094.msg183754#msg183754, whilst this may not be the same they have added 127.0.0.1 to the trusted zone.
Hi DavidR,
Well to put it like a joke, ZoneAlarm zoned out on me, or rather “zoned in”. I had to reboot again to start the client again, but that is normal.
polonus
Hi Pol what version of ZA do you have
Hi essexboy,
The last update before they stopped support for ME, but I also run some packetfiltering in it with adopted open source, my personal windows adopted version of ZAL-iptables 3.1.1 inside ZA. Think I have to unPnP this system, if that has something to do with it and port 138, unPnP adverts on port 5000 that is listening, but it is full stealth. Just before I lost my outward connection, because the browser came up with failing to contact servers, also update server of avast failed, I had a request for 10.0.0.138 which is my router address (the comp hangs on another 10.x.x.x address. All the ZAL programs are set on ? And all the logging goes with all the other crap after the session is completed (CCleaner).
Recently I also monitored inside Flock some traffic from 84.207.2.244: 443 but I have no other AV product service running. That’s all I can mention to you, essexboy. Have a hunch? After I reset the router everything is back to normal routine, and no more alerts or whatever?
friend polonus
What size is your tvdebug.log in windows/internet logs ? As I had something similar about a year ago and I found that the log was in excess of 200 MB. I deleted it and everything went OK thereafter, but you can only delete it if ZA is closed… So I now delete it daily just before shutting down, as ZA in their wisdom have it as an incremental log and boy does it grow…
Hi essexboy,
I know about this.I will 'ave a look, because this bugger tvdebug.log can make that your ZAL client is not starting up the next time.
Keep it neatly trimmed.
polonus
Hi firewall experts,
Again I lost my connection and had to reset the ADSL router,
read the ZA log, and it came up with “From 10.0.0.150 UDP port 1174 to 10.0.0.138 DNS sent packet was blocked” 2 x. Saw a Fin Ack on the query for google.com no connect. Could this mean that someone created a Syn Flood so all DNS queries were being dropped, or is there another explanation, they wait a long time without a response, and bingo. It is rather cumbersome.
Also had a "From 10.0.0.150 TCP Port 4467 to 66.102.11.104 (HTTP) sent packet was blocked (SSDP service tried to contact 66.102.11.104, and the computer was not yet ready).
Can anybody answer these questions.
polonus
Hey polonus, I did a quick search of the ZA forums but couldn’t find any posts that match your problem 100%.
Have you tried to post there?
Hi marc57,
The problem subsided in one way or another, came in from the net. They were mainly TCP flag alerts to do with googlesyndication (blocked somehow in NoScript). There is an awful lot of tunneling going on now-a-days. If I run a sniffer under for instance a Flock session, I see a lot of port 443 traffic
for siteadvisor (OK I granted that myself), but also for xrampsecurity - San Antonio Texas http://crl.globalsign.net/Root
(22 packets to verify certificates). But that goes unnoticed and right under the FW, as all that are lifters on the hhtp or https.
But it is interesting to analyse this. I have Distrust in the browser and Pocketflock running on the USB clears all of its history, cookies, history after a session anyway. If I want to keep something of interest I download it or keep the hyperlink with LinkRipper. Fine add-ons are Tamper Data and Nuke Anything (for that one site session that is).
Thanks for your comments,
polonus