Firewalls: Difference between revisions

A personal firewall (e.g., the Norton firewall and ZoneAlarm) is a security program that can block Internet access to the Internet. The firewall may be a freestanding program, or it may be part of an Internet security package or antivirus program.

After your Web browser is installed or updated, security software must be configured to allow Internet access. This may happen automatically, or you may have to do it. If you deny access, you must reconfigure the security software to allow access. No Web browser or any other program can control the firewall. If it could, that would completely defeat the purpose of the firewall.

This article provides both general information and information on specific firewalls. For information on other security programs, see Error loading websites.

Firewall pitfalls

• Firewalls may not "know" about every update, and may sometimes require manual configuration.
• Some firewalls continue running even if you think you have disabled them.
• Some firewalls continue running even if you think you have uninstalled them. The EnumProcess tool for Windows will help you find any firewalls that may be running.
• Some firewalls provide detailed rules concerning Internet access, any of which could block Internet access. See this forum topic for an example.
• If the firewall shows that Internet access is already allowed, that may be for the previous version of the Web browser or Thunderbird. Try deleting all versions from the access list so the firewall must request permission again.
• Some firewalls have bugs. Try removing all mention of your Web browser or Thunderbird from the access list so the firewall must request permission again.
• Firewalls can also interfere with Internet access by blocking certain essential tasks such as domain-name service[1][2] or Windows "svchost.exe".[3][4]
• Some firewalls require you to restart your computer for changes to take effect.
• Here are some other ways to be fooled.

CA Personal Firewall

The CA (Computer Associates) Personal Firewall was formerly known as "eTrust Personal Firewall". A number of support documents are available here. The following instructions are from the article Having trouble accessing applications after installing CA ISS or CA Personal Firewall 2007 (if you need more help, the article includes screen shots).

1. Open CA Personal Firewall
2. On the left panel, click on Firewall.
3. On the right, select the Application Control tab.
4. If your program has already requested internet access you will already find it within this list. To ensure the program is given the necessary access, click on the program name and then click on the Delete button.
5. A Confirm popup will ask if you want to delete the application, click Yes.
6. Close CA Personal Firewall
7. Open the program you wish to grant access. A few seconds after the program opens you will see a CA Personal Firewall Security Alert message. Within this box there will be the option to Allow or Deny the program and the ability to remember this setting. We recommend that you check the box to remember the selection for your default web browser and email program so check this box and then click on the Allow button.

Comodo Firewall Pro

This is the free Comodo Firewall. An earlier version was called Comodo Personal Firewall.

Using Thunderbird as an example:

1. Right click on the icon in the system tray and select open.
2. Click on security, and then application monitor. That should display a list of applications and their rules.
3. If there is a existing rule for Thunderbird select it.
   1. Press edit (or right click on the rule and select edit from the context menu).
   2. Press the application browse button and browse to your Thunderbird.exe file.
   3. Select "Specify a parent". Press the parent browse button and browse to Explorer.exe (Windows Explorer) in your windows directory.
   4. The general tab should have allow , "TCP or UDP", and IN/OUT. If it doesn't, change the settings.
   5. Press OK.
4. Otherwise press Add.
   1. Press the application browse button and browse to your Thunderbird.exe file.
   2. Select "Specify a parent". Press the parent browse button and browse to Explorer.exe (Windows Explorer) in your windows directory.
   3. The general tab will default to allow , "TCP or UDP", and IN. Change the direction from IN to IN/OUT.
   4. Press OK.

The list of rules should have a line with Thunderbird.exe, [any], [any], TCP/UDP In/Out and a green check mark next to Allow.

Comodo Firewall Pro, by default, keeps track of each parent (host process) for a given application [5]. For example, Comodo doesn't have just one rule for Thunderbird, it creates rules that also specify what application launched Thunderbird. This can include one for Windows Explorer, Firefox, and even Thunderbird launching itself when it upgrades. If you don't need this fine grained control rather than pressing the parent browse button select "skip parent check" to make it use one rule (and avoid specifying who can launch it). If it already has multiple rules selecting "skip parent check" in any of those rules should automatically delete the other Thunderbird rules.

eTrust EZ Firewall

1. Double click the EZ Firewall icon in the system tray
2. Ensure that the ‘Lock’ icon at the top is in the unlocked position.
3. To the left of the window, click ‘Program Control’
4. Click the ‘Programs’ tab from the top.
5. Look for your internet program (e.g. "Mozilla" or "Firefox") and ensure that the permissions under ‘Access’ and ‘Server’ have a green check mark (allow).
6. Look for Generic host process for win32, (Win XP and Win 2000 only). Again, ensure that the permissions under 'Access' and 'Server' have a green check mark (allow).
7. Look for Application Layer Gateway, ensure 'Access' and 'Server' have check marks.
8. Try accessing the internet again.
9. If you are still unable to surf, remove all instances of your internet program (e.g. "Mozilla" or "Firefox") and Generic host process for win 32 from the program list. You can remove them by right click the name and selecting remove from the popup window.
10. Once this is done, try accessing the internet again. You should get a firewall alert asking for access permission to allow the processes mentioned above, please allow them, this should get your internet working again. [6]

Additional information is contained in CA support document, I cannot surf the Internet since installing EZ Firewall

Kaspersky firewall

Because of a bug, the Kaspersky firewall may continue to block Internet access even though it is supposed to be disabled. [7][8] Access may be blocked even if only the Kaspersky Antivirus program is running.[9] As with any firewall, the best solution is not to disable it, but to configure it to allow the updated application.

Users also have the option of blocking domain-name service (DNS) for some programs but not others. [10][11]. You must allow DNS access for normal Web browsing.

The Kaspersky firewall can also interfere with pipelining [12]

In some cases, it may be necessary to delete the application rule for Firefox/Thunderbird/Mozilla Suite/SeaMonkey, then grant access the next time you are asked. The following instructions are from the article, Firewall rules for applications in Kaspersky Internet Security 7.0:

1. Open the Kaspersky application Settings window
2. select Firewall under Protection.
3. Click on Settings under Filtration System.
4. In the Settings: Firewall window, select the Rules for Applications tab.

Using the Delete button, you can delete a rule for the selected application (e.g., Firefox.exe).

If you need more help, visit Kaspersky Technical Support and Knowledge Base and also see this web page.

McAfee Personal Firewall

1. Right-click the McAfee icon, point to Personal Firewall, then click Internet Applications.
2. In the Permissions list, right-click the permission level for an application, and click Delete Application Rule.

The next time the application requests Internet access, you can set its permission level to re-add it to the list. [13]

If you need more help, visit McAfee Technical Support or the McAfee Support Forums.

Norton Internet Security

The Norton firewall must be configured to allow updated programs to use the Internet. If your Mozilla application cannot access the Internet, this Symantec Knowledge Base article and this forum post may help. If not, the Symantec support site offers extensive resources, including the AutoFix Tool for home users and a FAQ page. To uninstall Norton see this article.

Outpost Firewall

Make sure the Rules Wizard firewall policy is on. The Outpost Firewall can cause Firefox to stall, by blocking the loopback (localhost) connection.[14][15]

PC-cillin Internet Security

A common error using the firewall component of PC-cillin Internet Security is to deny internet access to the essential process, "svchost.exe" (Generic Host Process for Win32 Services). If you mistakenly deny access, you must remove the associated entry from the list of firewall exceptions, as follows [16]:

1. Open the PC-cillin Internet Security main console (double-click the PC-cillin icon on the Windows taskbar).
2. Click "Network Security" on the left.
3. Click "Personal Firewall" on the right.
4. Go to the "Profile Name" section and click the profile being used. This is the profile that has an icon beside it.
5. Click "Edit". The Edit Personal Firewall window appears.
6. Click the "Exceptions" tab.
7. Find and click the entry for "Generic Host Process for Win32 Services".
8. Click "Remove".
9. Click "OK" then click "Apply".
10. Check the Internet connection.

Sygate Firewall

Sygate was bought in 2005 by Symantec, and development under that brand ceased shortly thereafter.[17] Existing copies of the firewall will still function, but will not receive any updates. Support may still be available from Symantec.

Sygate blocks type 3 and 4 ICMP traffic by default, which can cause timeouts and failed FTP uploads. To unblock ICMP, see this post.

To reset program control for Mozilla program:

1. Close the Mozilla program (Web browser or Thunderbird). Make sure it's closed in the Task Manager.
2. Open Sygate's main screen.
3. Click 'Applications'.
4. Scroll to the Mozilla program, highlight it and select 'Remove'.
5. In Sygate, go to Tools > Options > Security tab and press 'Reset Fingerprints'.
6. Close Sygate.
7. Re-open the Mozilla program and it should get re-detected.
8. Tell it to remember the decision and click OK.[18]

Windows Firewall

The Windows Firewall in Windows XP filters only inbound traffic. In Windows Vista, the Windows Firewall can filter both inbound and outbound traffic; however, outbound filtering is turned off by default [19].

In some cases, you may need to remove Firefox/Thunderbird/Mozilla Suite from Windows Firewall exceptions list, if listed, and re-add it. The following instructions are for Windows XP sp2 (Windows Vista should be similar):

1. Close Firefox/Thunderbird/Mozilla Suite
2. Start -> Settings -> Control Panel -> Windows Firewall
3. General tab - Make sure the firewall is switched on and "Don't allow exceptions" is unchecked.
4. Exceptions tab - Find the Firefox/Thunderbird/Mozilla Suite entry and delete it.
5. Check the box next to "Display a notification when Windows Firewall blocks a program".
6. Click "OK" to exit the Windows Firewall window.
7. Start Firefox/Thunderbird/Mozilla Suite.
8. Windows Firewall should then ask whether you want to keep blocking or unblock. Select "Unblock".

For more information, open the Windows Start menu, go to Help and Support and search on "Firewall", or see these articles:

• Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
• Windows Vista Help: Understanding Windows Firewall settings
• The New Windows Firewall in Windows Vista and Windows Server "Longhorn"

ZoneAlarm

Some Internet service providers (ISPs) send out "heartbeat" messages to see if you are still using your connection. By default, ZoneAlarm blocks these messages, and you may get disconnected. For more information, press the "Help" button and search for heartbeat in the index. Some ISPs provide a specially configured version of ZoneAlarm that you can use, or else you can configure ZoneAlarm to allow these incoming messages.

ZoneAlarm behaves in other ways the user may not expect:

• Closing the ZoneAlarm window by clicking on the 'X' in the upper right does not stop the firewall; it just minimizes the window to the system tray. To shut it down (briefly!) for debugging, right click the icon in the tray and select "Shutdown ZoneAlarm".
• Uninstalling ZoneAlarm from Settings | Control Panel | "Add or Remove Programs" may not actually uninstall the firewall. The ZoneAlarm user interface (control center) may be uninstalled while leaving the actual firewall running.[20] To completely remove ZoneAlarm, run the uninstaller in the ZoneAlarm program folder.[21]

To configure ZoneAlarm to allow Firefox/Thunderbird/Mozilla Suite access to the Internet:

1. Open the ZoneAlarm control center
2. Select "Program Control" on the left
3. Select "Programs" on the top
4. Find the application's entry (e.g., Firefox) in that list and make sure there is a (green) check mark in the "Access Internet" column. Make sure the application version shown in the bottom of the window matches the version you are using.

If the previous instructions don't work, right click on the application's entry (e.g., "Firefox") and select "Remove". Do this for all entries for that application. The next time you start the application, ZoneAlarm should ask you whether you want to allow access.

ZoneAlarm may malfunction because of a corrupted data base. The steps to solve the problem are reported here. Also look here for additional information.

For more help with ZoneAlarm settings, see the Zone Labs support article, Getting Started with ZoneAlarm.

See also

• Error loading websites
• Object has been blocked
• Images or animations do not load - Security software
• Websites report cookies are disabled - Security software settings

External links

• Personal Firewall Reviews
• Internet Security & Utility Suites
• Firefox: When you cannot connect