Wally,
Verified, ableit unscientifically. ZoneAlarm does not appear to detect
udp traffic from source port 67.
Additionally, using nmap's -f flag allows you to send traffic past
ZoneAlarm without any alerts.
Wally Whacker wrote:
> ZoneAlarm (http://www.zonelabs.com) is a very popular
> personal firewall for Microsoft Windows computers and easy
> to use for newbies because it is application based,
> meaning, you apply network permission to applications
> instead of ports.
>
> Because it is application based, I was wondering how it
> handled ports that weren't applications, i.e., what about
> ports that are opened by the kernel?
>
> I tried scanning a ZoneAlarm protected machine using
> various source ports that are often problems for other
> firewall environments. What I found was this:
>
> If one uses port 67 as the SOURCE port of a UDP scan,
> ZoneAlarm will let the packet through and will not notify
> the user. This means, that one can UDP port scan a
> ZoneAlarm protected computer as if there were no firewall
> there IF one uses port 67 as the source port on the packets.
>
> The version I tested this on was 2.1.10
>
> I strongly suspect port 67 needs to be left open because it
> is used for DHCP.
>
> On an earlier version 2.0.26 UDP packets from source port
> 53 also behaved as above but this doesn't seem to be the
> case with this latest version.
>
> The test was this:
>
> 1) Download and install ZoneAlarm version 2.1.10.
>
> 2) From another computer (unix, linux, etc) run nmap -P0 -
> p130-140 -sU 192.168.128.88 <-Your Computer Ip Address.
> This will run a small UDP scan on the computer.
>
> 3) ZoneAlarm will throw up alarms on these UDP probes
>
> 4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88
> (Notice the -g67 which specifies source port). This will
> run the same test as above except the packets will have a
> source port of 67.
>
> 5) ZoneAlarm will not throw up any alerts AND if you have
> any services running on those ports, nmap will find them.
>
> I'd appreciate it if any one else can independently verify
> this.
>
> Wally
>
> http://hackerwhacker.com
