Hello!

I have just installed the trial version of ZoneAlarm Pro and was now wondering how to configure it correctly. The main problem is that I have some servers running... some of them should be accessible by everyone, some of them not.

Here are the server details:

• HTTP server (Apache2) is listening on port 80. At the moment, TCP port 80 is open for incoming access and everything is working good. Do I still need to open port 80 for outgoing access, too? Also, would I need to open any ports for the MySQL server? That one is runing, too.
• FTP server (BulletProof FTP Server) is listening on port 21. The PASV range is 1024-65535, but passive mode is turned off. I have enabled TCP port 21 for both incoming and outgoing access. Can I turn off outgoing access, or do I need both? Also, should I open the TCP ports 1024-65535? If yes, for outgoing and incoming?
• SMTP server (have to install one) will be listening on port 25. I would like this one to be accessible only for me (private). Would I need to enable TCP port 25? If yes, for incoming and outgoing access, or only one of them?
• Time server (Absolute Time Server) is listening on TCP port 37, UDP port 37 and SNTP port 123. None of the ports above is open and the server is not accessible. Which ports should I open to enable access from outside?

Thanks in advance,
Sebastian Mares

Generally, you should by default accept all outgoing. Unless you're the gullible type who gets hit by spyware all the time, in which case block outgoing by default and allow by application.

[*]HTTP server (Apache2) is listening on port 80. At the moment, TCP port 80 is open for incoming access and everything is working good. Do I still need to open port 80 for outgoing access, too? Also, would I need to open any ports for the MySQL server? That one is runing, too.
You don't need to open any ports for MySQL server since only your webserver will be accessing it. Not sure how ZoneAlarm works, but I know that in some systems you will need to set the loopback connection to accept everything (accept all from 127.0.0.*) for one service to access another within the same server.

[*]FTP server (BulletProof FTP Server) is listening on port 21. The PASV range is 1024-65535, but passive mode is turned off. I have enabled TCP port 21 for both incoming and outgoing access. Can I turn off outgoing access, or do I need both? Also, should I open the TCP ports 1024-65535? If yes, for outgoing and incoming?
You only need incoming 21. If you disable passive mode, users behind their own firewalls will be unable to access your FTP (unless their firewalls are capable of nat connection tracking active mode FTP connections). If you want to enable passive mode, your firewall must be capable of connection-tracking passive mode FTP connections. Do not open TCP ports 1024-65535 incoming! That defeats the purpose of having a firewall. All outgoing should be opened, as I explained above.

[*]SMTP server (have to install one) will be listening on port 25. I would like this one to be accessible only for me (private). Would I need to enable TCP port 25? If yes, for incoming and outgoing access, or only one of them?
No need to enable incoming port 25 on external interfaces. However if you are running a mail server accepting mail for a domain, that has to be opened. Probably not though since it looks like you're just setting up an smtp server for php to use to spam users.

[*]Time server (Absolute Time Server) is listening on TCP port 37, UDP port 37 and SNTP port 123. None of the ports above is open and the server is not accessible. Which ports should I open to enable access from outside?

No idea why you want to be running a time server, but yes, for time protocol you need to open both TCP and UDP 37. SNTP is an application protocol, not a network/transport protocol (which TCP and UDP are), and it uses UDP port 123 so you need to open that.

You shouldn't open ports 1024-65535 for incoming, unless you have a server listening on one of these. (P2P software for example)

I just don't like zone alarm pro, because it caused death blue screen on my XP everytime I try to connect to FTP server. Kerio Personal Firewall is better IMO.

For his above application he should be using Linux instead of MSBlaster-bait anyway.

Hi, sorry to hijack the thread but it seems like the OP has been helped.. anyways; I need some advice on WinRoute Pro, I have 2 machines (server, client), the server is connected to ADSL and has two nics (one goind to the modem and the other to the client); So I managed to set it up, and all is working quite dandy i.e. server and client both see each other and the internet.

Packet filter set to the following (on the ADSL connection):
-----------------
UDP any port=53 -> any host port>1023

*UDP any all -> any host port 4672
*UDP any port=4672 -> any all
*TCP any all -> any port(4400, 4800)

TCP any all -> any all !SYN (only initiated connections)
ICMP any -> any (only echo reply)
IP any -> any (Drop)
---------------

Now here is the problem, file sharing programs (a.k.a emule and the kind)... seems like trying to connect to emule gives me a warning about low id, so I added the [*] items in Packet filter and added port mapping to map port (4400-4800) to the same range to my local IP (emule is on the server machine).

All this seems to have helped (it didn't work without port mapping) but I'm not sure about the [*]'s I've added or the port mapping... Any advice (even on packet filters to tighen or loosen)?

EDIT: Nor am I sure about the port mapping, do I need all those ports mapped? I mapped only 4662 only at first and it kinda worked, but I was afraid it'll only be enough for only one connection...

Thanks.

OK, is this correct:

Sorry, I had to remove the link due to problems with the server.

If you are running eMule on the gateway machine, you do not need to activate port mapping, just open the firewall to accept incoming TCP 4662.

If that doesn't work, you may want to configure eMule to use a different port. It's been known that some ISPs block or throttle default ports for P2P apps... you may even get a performance gain using a different port.

You only need one port. That can handle all the connections you ever need. Afterall large webservers have to handle tens of thousands of connection through a single port 80. A connection is made up of a pair of ip:port (source and destination), you don't need to open multiple source ports to handle multiple connections.

Nope. I mentioned it twice in my original email, open ALL outgoing connections.
Alternatively, block ALL outgoing connections and allow outgoing connections only by application.