Zonealarm and netbios block on WinXP

[Anthony2816]

Here's the situation:

I have a server computer with two NIC's. One goes to the DSL modem, and one goes to my LAN. It, like all the computers on the LAN, is running WinXP and ZoneAlarm Pro.

WinXP on the server computer shows three networks:

1) The modem to the ISP. This gets a dynamic IP from the ISP.

2) The server to the modem. This shows an IP of 169.254.137.126, with a subnet mask of 255.255.0.0.

3) The server to the LAN. This shows an IP of 192.168.0.1, with a subnet mask of 255.255.255.0.

The problem:

When I start up my client computer, ZoneAlarm pops up an alert that says, "The firewall has blocked Internet access to your computer (NetBIOS Session) from 169.254.137.126 (TCP Port 3274)(TCP Flags: S).

What the heck is this? I thought the NIC with that IP address was separate from the LAN...it has a different IP and subnet mask. So what is this access that the client's ZoneAlarm has blocked?

Should I do anything about it? I was wondering if I should tell the client's ZoneAlarm to accept traffic from the 169.254.137.126 IP, but on the other hand, letting it block it doesn't seem to be causing any harm. I can still access the internet, and all the resources of the server (drives, printers, etc) just fine.

Pretend I know nothing about this subject (close to the truth), and explain this to me, please.

 

[Rockn]

You really only need one Firewall and it should be at the "server". If you are using something like ICS or other proxy you really don't need the firewall. If you want to use it your ZA needs to be set up like this, go into the advanced settings and on the general tab set "This computer is an ICS gateway" and set the local address to 192.168.0.1
Go to the local zones tab and go to the adapter subnets list and select the adapter for your local network. Click apply and try again. The ICS server should also be set to allow DNS and DHCP

 

[Anthony2816]

Originally posted by Rockn:
You really only need one Firewall and it should be at the "server". If you are using something like ICS or other proxy you really don't need the firewall.

You know, I've often wondered about that. I guess the only reason I've been running Zone Alarm on the client computers is because when you initially set it up, it gives you the option to declare the computer either an internet gateway, or that it's a client of a gateway. I figured if they put that in there, then they expected you to install it on all the computers. So it is, indeed, safe to remove ZoneAlarm from all the client computers? (They don't need protecting from each other).

If you want to use it your ZA needs to be set up like this, go into the advanced settings and on the general tab set "This computer is an ICS gateway" and set the local address to 192.168.0.1
Go to the local zones tab and go to the adapter subnets list and select the adapter for your local network. Click apply and try again. The ICS server should also be set to allow DNS and DHCP

I think I already have things set up like this. But I'd happily remove ZoneAlarm from all but the server if that's all that is needed.

 

[Del]

You should be able to run it on just the host computer. That is your firewall.

 

[Anthony2816]

Something else just occurred to me. One benefit to running ZoneAlarm is that it monitors outgoing traffic, alerting me to the attempts of trojans and spyware to "phone home", as well as if anything alters programs like Internet Explorer. If I take ZoneAlarm off the client machines, I'll no longer have that protection, right?

 

[Del]

The firewall on your host machine should catch any outgoing traffic you don't permit.

 

[Anthony2816]

Originally posted by Del:
The firewall on your host machine should catch any outgoing traffic you don't permit.

That doesn't seem to be how my ZoneAlarm setup is working. If I run the LeakTest 1.2 program (from grc.com) on the server, ZoneAlarm pops up and asks if I want to allow it. But if I run it on a non-ZoneAlarm'd client, LeakTest sails right through.

As I understand it, ZoneAlarm keeps a record not just of the names of the programs to which you've given permission to have outside access, but also watches their size and time/date stamps, so that it can tell if a trojan/virus has modified the program. But if ZoneAlarm is only on the server, and the program in question is on a client, it would seem that ZoneAlarm can't do this function.

In any case, it seems either I've done something wrong in my ZoneAlarm configuration on the server, or that I also need to run ZoneAlarm on the client computers, if I want outbound as well as inbound protection.