MozillaZine

Talk:Firewalls

From MozillaZine Knowledge Base

Contents

New Firewalls article

This new article replaces the "Firewalls" section of the Error loading websites article (formerly Error loading any website) with a link, to shorten that article. See the discussion here for the background. Alice Wyman

Have reworked the beginning to put basic info up front. Hopefully as concise and simple as possible. The main rationale behind deleting all program permissions or all Fx permissions is to reduce human error and make sure the CURRENT version of Fx has permission. Too many people only look at the program name. --AnotherGuest.

Request to revert article following "cruft" removal

NP and Alice, the "cruft" that NP removed was put there for the specific purpose of avoiding the user errors that fill the Support Forum with angry posts. If users read and believed just the two bullets in the Background section, this alone would prevent most of the posts. Here are two of the most common errors:

  • The previous version worked. This one doesn't. Therefore, the problem is this version, not the firewall. (See Bullet 1.)
  • They "close" or "uninstall" what they think is the firewall. Therefore the problem "can't" be the firewall. (The UI closes but the firewall engine is still running. This is a known firewall "feature". See Bullet 2.)

If people do not get those messages right away, they won't read on. It's VERY hard to persuade them that the firewall is the problem, especially if they have configured the firewall correctly and it still doesn't work. (Many users have had to kick firewalls. I even had to kick ZoneAlarm.)

The two hints under "Configuring Specific Firewalls" are a little less necessary, but (1) they apply to multiple firewalls and (2) they circumvent certain user and program errors.

Notice also how concise and readable it was, and how easily a user could skip to the specific instructions. I spent considerable effort to make it concise and readable. I strongly urge reverting to Alice's last 29 July version. It presents essential information that should not be removed. AnotherGuest.

If you feel information should be added back, then add it back in a nice format. I will not have an article that spouts off information in Hint and Note and Warning bullet points here, there, and everywhere. If something applies to all firewalls, put in the intro in paragraph form. If something applies to specific firewalls, put it in the relevant section(s) in paragraph form. This article is "how to fix your firewall so Firefox/whatever works"; anything not related to that topic should be removed. Examples of irrelevant info in the previous version: the types of ICMP traffic that Sygate blocks, a link to Symantec's site rather than a link to the instructions themselves, the fact that eTrust is based on ZoneAlarm, a link to the Wikipedia article on personal firewalls, the document number rather than a link to where someone found info, the name of ZoneAlarm's firewall process. Also, consider the flow that users will likely take. They are not likely to click on the previous version's "Configuring specific firewalls" header if they see their firewall's name right below it.--Np 16:33, 31 July 2006 (UTC)
I will not have an article that spouts off information in Hint and Note and Warning bullet points here, there, and everywhere. That seems a bit heavy-handed to me, as the KB after all is a collaborative effort. If you want to limit use of bullet points, "Hint" "Note" or "Warning" prefaces to important points than I feel that should be discussed elsewhere, maybe in Talk:In-house style with a link from Knowledge Base changes. Alice Wyman 17:20, 31 July 2006 (UTC)

Reverting article to prior version with some edits

I added back much of what was removed since my feeling is, if there is a good chance that the info will be helpful, leave it in. I did leave off the bit about eTrust firewall being based on ZoneAlarm since it's not all that important and I removed the "firewall" link to wikipedia (but added back the "personal firewall" link since it does give background info). I don't have an eTrust link since when I first found the info, the CA support section only worked in IE and I couldn't get the link to work in Firefox at all. I felt that referring to the document ID was a better reference than none at all. Alice Wyman 17:01, 31 July 2006 (UTC)
You didn't add it back, you just reverted it and took out one or two pieces. And you didn't look very thoroughly at the changes either, unless you think that tidbit about IMCP data types 3 and 4 has a good chance of being useful (do you even know what it means? I don't). Why do we mention that the Symantec site has info without actually linking to the info? There where also changes to make it more like the in-house style, rewording, etc. For example, having "hints" is just horrendous; this isn't a game that the user's playing and we're giving them hints to get the answer. The user wants answers and we want to give them answers. Straight-forward, no-nonsense answers, and not tangentally related information. No "Hint:", no "Note:", no "Try...", no "It has been reported"... Just "Do this, do that, you're done". I'm going to go on a rampage if crap like this keeps up and turns this into "Standard diagnostic for firewalls".--Np 17:17, 31 July 2006 (UTC)
Yes, I reverted the article to the earlier version and then edited to incorporate a few things like alphabetizing, removal of a link, and removed the comment about eTrust being based on ZoneAlarm. As for needing to mention IMCP data types 3 and 4, just because you or I don't know what it is, doesn't mean others won't, and it IS mentioned in the linked post.....but I added an ICMP wikipedia link to the article, in case it helps. About your other suggestions on article-writing in general, that belongs in another discussion, as I said earlier. Alice Wyman 17:29, 31 July 2006 (UTC)

Sorry, I didn't mean to start a feud here. And reversion, which I requested, had the unintended disadvantage of undoing some other good changes that I didn't notice (the change log just shows more-or-less everything being changed). I should have documented better when I first made my changes. There's certainly a bit of garbage in here, and even the good info can benefit from trimming in places. It will take a while to digest and maybe reprocess all the changes that have been suggested or made.

Personally, I like the bullets because a few short bullets present information at a glance--but maybe that's just my eye. Bullets are not the only way to do the job, of course, but I note that they are used elsewhere in KB. I'm sorry you're offended by the hints. The format and content are debateable, of course, but if we can't give hints on how to get things working, why are we writing this stuff? "Crap like this" comes up because (1) sometimes things don't work even if people follow the directions, and (2) sometimes they don't follow the directions.

Bullet points do present information at a glance, but in this article (in the background section), that's not what they're being used for. They're two pieces of information that just don't fit with the paragraph, so they're lumped together. A list should be a list of something (and labelled as such), like "Important things to remember about firewalls".--Np 19:36, 31 July 2006 (UTC)
Hitting people over the head with facts isn't "crap". If people don't read something, sometimes the only thing you can do is repeat yourself. But you don't want to give "hints", you want to give directions. Hints are helpful but they are indirect and don't tell the whole story. Think of a riddle. If someone gives you a hint, they are purposely only giving you part of the information you need to solve it and withholding the rest. I don't think that the things marked "Hint:" in this article are actually hints.--Np 19:36, 31 July 2006 (UTC)

Removing information

As for the NIS link, I plead guilty to adding that one some time ago. The main site was linked because there are many such links, depending on the version number. The link was added because until shortly before that time, Symantec apparently had no such Web information, and the links were not very easy to find. But NP is right. The KB needs to be kept trim.--AnotherGuest.

Kindly remove it then. I fear if I do so it will be reverted.--Np 19:36, 31 July 2006 (UTC)
Np, that's ridiculous. The only reason I reverted the article was because you had removed information that AnotherGuest then requested to add back. I thought it would be simpler to start back at the earlier version, keeping some of your changes that did not seem to relate to AnotherGuest's concerns, since he felt so strongly about it, then go from there. Alice Wyman 22:42, 31 July 2006 (UTC)
The KB needs to be kept trim ...but not by removing information for the sake of brevity! I think that the KB should be more than just a cookbook listing "fix-it" steps, with no explanation or documentation. That's why I tend to give more detail and reference links than other people. Alice Wyman 23:03, 31 July 2006 (UTC)
Sorry, I didn't mean to start a feud here. And reversion, which I requested, had the unintended disadvantage of undoing some other good changes that I didn't notice. AnotherGuest, no worries. You did right by posting your concerns. That's what the Talk pages are for. Alice Wyman 22:42, 31 July 2006 (UTC)

Removed ref. to Symantec Web site, per NP's instructions. The situation with respect to NIS seems to be changing a lot, and this may require monitoring. When that ref. was first included, the Symantec site had many version-specific sets of instructions, and that was the reason for referencing just the home page. Now they seem to have some sort of automated procedure. We also have two sets of instructions within MozillaZine, and I'm not going to try to adjudicate. I noticed a lot fewer complaints about NIS this time, and I wonder if it's due to improvements by Symantec. I also wonder if our instructions are out of date. So it may be appropriate to reference Symantec, but it's someone else's baby. I don't have NIS.

Also made a few other minor changes according to instructions. The others are harder to do properly, and someone else can do it. --AnotherGuest.

More changes including Firewall gotchas section

I've made a few more of the changes that were reverted. I haven't removed any info, just reorganized and reworded the intro. AnotherGuest, it'd be good if you could add more to the firewall gotchas section because you're the one who wrote the "Top 12 ways to get fooled by firewalls", right?--Np 19:12, 1 August 2006 (UTC)
Firewall gotchas? How unprofessional!  :-) But I like it. Thanks. I'll think about the 12 ways. Nothing stands out to me, and 12 points would be a bit too many for KB.
Couldn't think of anything better...--Np 20:49, 1 August 2006 (UTC)
For future reference, [uninstalling NIS or Norton firewall.]--AnotherGuest.

Sorry, but I think that this "Firefox gotchas" version .... well, stinks, and not just because of the silly heading. I'd like to revert it back to the "Hints and bullets" phase but I think it would be better to just sit back and see what happens down the road since the two of you seem to be on a roll. Alice Wyman 00:57, 2 August 2006 (UTC) .... OK, I'll be more specific. It's the Intro, mainly, which starts off: A firewall is like a gatekeeper to the Internet; it controls what kind of connections programs can make to the outside world and vice versa. Software firewalls (also known as a personal firewalls) are the kind of firewalls that most users are familiar with. Norton and ZoneAlarm are both software firewalls. It's just not well written, and doesn't flow into the rest of the "Intro", which really should be a separate "Background" section as before. I can rewrite it, but like I said, I'd rather wait to see what else develops. 01:35, 2 August 2006 (UTC)

Note: I completely disagree. Warning: don't revert it.--Np 03:54, 2 August 2006 (UTC)
The one thing I thought I might edit right now would be replacing "gotchas" with something more professional since I don't think that slang is appropriate in KB articles (I'll have to add a comment on that to Talk:In-house style). Alice Wyman 14:24, 2 August 2006 (UTC)
Go for it, I don't like "gotchas" but I couldn't think of anything better at the moment.--Np 15:21, 2 August 2006 (UTC)
Well, I was going to suggest "pitfalls" but I see AnotherGuest already thought of it :-) Alice Wyman 20:26, 2 August 2006 (UTC)
1. Since this part is still in flux during this committee editing process, maybe it would be better to move parts of it back to Alice's draft page, rather than negotiate on the active support page. That is, if we don't get into too much trouble with synchronizing versions.
No, don't move the page to my user page, that's been cleared for another article. Leave the page editing here. We shouldn't have to hide the editing process away on someone's user page. I think it's good to do this out in the open. Alice Wyman 14:24, 2 August 2006 (UTC)
2. I'd like to change it even more, but I'm kinda waiting for it to bake a while. I finally noticed the obvious: a lot of people still think Fx should control the firewall. They think Mozilla should fix it.
I'd like to change the first paragraph to read something like: "A personal firewall (e.g., the Norton firewall and ZoneAlarm) is like a gatekeeper to the Internet; for the purpose of security, it controls sending and receiving data from the outside world. Neither a browser nor any other program can control the firewall. If it could, that would completely defeat the purpose of the firewall."--AnotherGuest.
A few nits:
  • A firewall is not just like a gatekeeper, I'd say it is a gatekeeper.
  • The firewall isn't responsible for (doesn't control) sending and receiving data, it just grants or denies the access.
  • This is a problem with the current version too, but "outside world" might be thought of as "real world".
  • The last two sentences still need reworking. Maybe include that info in with the subsequent paragraphs that deal with the interaction with firewalls and programs?--Np 14:23, 2 August 2006 (UTC)


Try this: "A personal firewall (e.g., the Norton firewall and ZoneAlarm) is a gatekeeper to the Internet; for the purpose of security, it either grants or denies access for data to pass. Most personal firewalls will deny access by any program, including your browser and mail program, unless you have specifically allowed access by that program. Neither a browser nor any other program can control the firewall. If it could, that would completely defeat the purpose of the firewall.
"A firewall will usually ask you whether to allow a program to connect to the Internet. In order for Firefox/Thunderbird/Mozilla Suite to work, you must grant access. If you deny access, you must reconfigure the firewall to allow access.
"This article provides information on how to configure different firewalls to allow Firefox/Thunderbird/Mozilla Suite access to the Internet."
[The phrase "grants or denies access to the Internet" is meant to cover either inbound or outbound packets. I don't want to distinguish between inbound and outbound firewall activity, because it needlessly complicates the explanation. The distinction would add another, unnecessary concept and would take an extra sentence or two.]
[The only remaining problem I see is the small complication that it is possible that some firewall mfrs may update firewall data with program signatures and preconfigured permission (this is alleged; I'm not certain). The article says that only the user can configure permission. The "gotcha" is that this will fail if Fx updates before the firewall.] --AnotherGuest.

Program scan UI text

Is the UI text within Norton's program scan really all capitalized?--Np 16:43, 1 August 2006 (UTC)

Don't know. It's possible the NIS section is out of date. See my previous note.--AnotherGuest.
Come to think of it, I think it was copied verbatim from the Support Forum. If I remember correctly, some user talked to Symantec and wrote down the instructions. I didn't post it.--AnotherGuest.
I changed the capitalization. It's more likely that it's not capitalized.--Np 03:54, 2 August 2006 (UTC)

Norton blocking outbound connections by default

I removed the reference to NIS blocking outbound connections by default because "Norton Internet Security (NIS) automatically blocks updated programs from accessing the Internet." means the same thing.--Np 03:54, 2 August 2006 (UTC)

Sygate, ZA, and ICMP

In plain English, I think the ICMP packets that are being blocked by Sygate are the inquiries that tell the ISP to keep the connection open. ZA Help calls these "ISP heartbeat messages". ZA, and probably other firewalls, will get your connection terminated if you don't this right, but I haven't seen enough on this to offer clear solutions.

Updated Norton stuff

Symantec has thoroughly added extensive Web support, and users should consult that first for the many versions. It seems that we now have few reports of problems. I took a chance and removed our own instructions because they are outdated and do not necessarily cover the many versions. I suppose we can add them back if it seems necessary. --AnotherGuest. 28 Aug 06

Note that the FAQ page is identified for Dell users, but it appears to apply to others as well. --AnotherGuest. 28 Aug 06

All seems well. Reason for reverting Norton stuff?

It appears that we still have very few reports of problems. Is there a reason for reverting when it seems to be working fine? The only Norton problem I have seen so far after the version 1.5.0.7 update was one person who apparently had not seen this article and was referred to Symantec. Alice, I see that you have found a step-by-step Symantec page. This seems good. Is there a reason for reverting to Helene's older instructions and placing them first in the list? Do you contend that they are still current, valid for all Norton firewall versons, and superior to the new Norton site support? Is there a reason for reverting even though Norton's software and support seem to be working well? --AnotherGuest. 19 Sept 06

The AutoFix Tool only works with Internet Explorer 5.5 or higher according to the page you get redirected to when you click the link, which is why I added the Norton KB article. After second thought I removed the forum link to Helene's older instructions. Alice Wyman 17:32, 19 September 2006 (UTC)

Windows Firewall (Vista)

I changed the header for the windows firewall section to indicate it was just for XP. Could somebody who has Vista add a section for Vista? My impression from http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx and http://www.oreillynet.com/windows/blog/2007/02/windows_vista_firewall_not_wha.html is that the Vista version is quite different. Tanstaafl 23:04, 24 February 2007 (UTC)

I found an article about the Windows Vista Firewall at http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1217062,00.html which says:
On the surface, it looks like a Windows XP leftover. In fact, the firewall's user interface in Windows Vista is nearly identical to the interface found in Windows XP. There aren't even any new configuration options available....The problem with the firewall's user interface is that it is easy to assume that the configuration options shown within the user interface are the only options available. However, you can actually gain much more control over the Vista firewall by configuring it using Group Policy Editor.
I run XP SP2, not Vista, but based on the article stating that the UI is nearly identical, plus the fact that parentheses cause link problems, I renamed the section "Windows Firewall". I added some info and a link for Vista to the end. Hope that's OK with you. (If someone does want to add information specific to XP or Vista, a subsection could be added.) Alice 03:07, 25 February 2007 (UTC)
Part of my concern is that article states you can have both a domain, public and private profile for the firewall, and that sometimes you can accidentally use the wrong profile. Its possible all we have to do is add a single extra step where you select the profile but I'm not running Vista either. I have no problem with leaving things as they are while waiting for somebody who uses Vista to decide whats appropriate. Tanstaafl 10:10, 25 February 2007 (UTC)

User-centric title

When browsing through category listings or searching, users normally choose the articles that are titled after their symptoms. In this case, it's "Can't connect to the Internet after updating". We should have some sort of entry named that. Options:

  • Rename this article and tweak the intro slightly. Are there any other ways that a user wouldn't be able to connect after updating that we would have to include?
  • Create an article named "Can't connect to the Internet after updating" with a short explanation and a link to this article.
  • Keep the article named as is, but put it in the categories under a different name. This wouldn't affect the title displayed after searching.

Thoughts?--Np 21:11, 12 June 2007 (UTC)

  • Rename and tweak. Any other ways?
--Yes, there are some: connection options in menu; I've seen users claim a profile change solved problem (because of extensions or connection options?). Least favorite option. Editing a stable, self-contained article seems like asking for trouble.
  • Create an article linking to this one. --Yep. "Error loading Websites already does this, but it's a mess, and less specific.
  • Put categories under different name. --Seems like a good idea for a lot of articles. I think the site allows this, but if I understand the feature correctly, it hasn't been used, has it? --AnotherGuest. 21:35, 12 June 2007 (UTC)
Yeah, we just have a redirect that's categorized, like in the articles Alice lists below.--Np 00:51, 13 June 2007 (UTC)
Keep the article named as is, but put it in the categories under a different name. I like this option, which we already do for a few articles, e.g., Toolbar customizations reset on startup which appears in the Firefox "Issues" and "Visual customizations" category listings but redirects to Corrupt localstore.rdf. RSS feeds - Firefox and Add Bookmark dialog not working - Firefox are other such articles that have more than one name in the category listings but which route users to the same article. Alice 23:00, 12 June 2007 (UTC)
I'd like to at least include one sentence that explains why we're going to point them to a different article. That means not having an actual redirect and instead just putting a bit of info and a link, or include some explanatory text in this article. I'd prefer the former because the extra text would make it easier to search for.--Np 00:51, 13 June 2007 (UTC)
Before you create a "Can't connect to the Internet after updating" article that points to the firewalls article I suggest you read the "Possible update problems" section in Software_Update and see if some sort of (aggregate) issues article is needed about updating problems. Tanstaafl 02:42, 13 June 2007 (UTC)
Who, me? I'm the one who wrote that section a few hours ago. I think that that's a separate issue than what to do with this article. Whether or not we have an aggregate update issues article, I think it's still useful to have a "pointer" article as described above.--Np 03:28, 13 June 2007 (UTC)

Kaspersky firewall

I copied the instructions for configuring the firewall component of Kaspersky Internet Security from the page link that was recently added to the article, http://noise.loud.googlepages.com/home (see article history). The referenced page didn't include the version of Kaspersky Internet Security so today I PM'ed LoudNoise (who wrote the page) and asked for that information. Alice 12:19, 25 October 2007 (UTC)

P.S. Kaspersky Internet Security 7 is the current version. Kaspersky Anti-Hacker (firewall product) was integrated into Kaspersky Internet Security 6, according to the references given in this other discussion. I would really rather have a direct link to a Kaspersky support article with configuration information, so if anyone can find a Kaspersky page with firewall configuration instructions for KIS 6 or KIS 7, that would be great. Alice 12:43, 25 October 2007 (UTC)

I received a reply from LoudNoise who said, I don't have the Kaspersky suite myself and got the instructions from someone who actually responded when I asked how they fixed the problem. This was slightly before the Great Crash of 2007 which I think was before 7.0 was released. Could be Version six but I didn't ask. As for linking that is fine with me. It will only be updated as I get annoyed at answering the same question four thousand times. Based on that, I removed the instructions that I had added and just left the link to his web page.

I just found instructions on Kaspersky's site for the firewall settings in Kaspersky Internet Security 7.0 here and added those to the article. Alice 00:07, 26 October 2007 (UTC)

Firewalls phone home -- Sometimes

Here's a solid reference: http://forums.mozillazine.org/viewtopic.php?p=3166688#3166688 . Omitted from pitfalls section because we don't want to many details that merely prove the point in a technical way.

The implication of automatic program signature updates by firewalls is that firewall behavior is inconsistent if the firewall doesn't yet know about a new browser version. Many users rely on autopilot, and then cannot deal with the concept that this update was not the same as previous ones.--AnotherGuest. 16:59, 3 December 2007 (UTC)