Fog Creek Software
Discussion Board




MS SQL / ZoneAlarm problem

I recently switched to cable internet access and set up a home network, complete with a router and a cable modem.  So, I installed a firewall - ZoneAlarm.

I've got VS 6 running with the MS SQL Server developer edition.  The problem is, when I attempt to connect to the server (loaded on the same PC) ZoneAlarm treats it like a an attempted internet connection and blocks it.

Apparently, I need to create trusted zones in ZoneAlarm, supplying a single IP address, a range of IP addresses, or a subnet (requiring an IP and a subnet mask).

This is where my stupidity really shines.

I can figure out my IP address, but how do I determine my subnet mask? I've searched a bit on the net, and I'm guessing that it is 255.255.255.0, but I don't want to shoot from the hip given last week's worm debacle.

Also, why is this treated as an outside connection when both the client & server are on the same PC?

Networking-challenged
Friday, January 31, 2003

If you've got a router you probably don't need ZoneAlarm at all.  It should have a firewall build in.

T.S.
Friday, January 31, 2003

First, make sure that you have local host 127.0.0.1
as a trusted zone. If that doesn't help you could turn off Zone alarm, let the connection be made and then run netstat to see if you can find what IP address is being called.

Have your tried setting local security to low?

Stephen Jones
Friday, January 31, 2003

Like the other guy said, you might check out your router.  Using a hardware firewall is much more nicer.  I have a Linksys "cable router" and for a $60 piece of hardware, I'm really impressed.

I seem to recall that ZoneAlarm allows you to designate applications as trusted, not just IP addresses.  That would solve your problem, I bet.

Or you might look at Tiny Personal Firewall instead.  I never used it, but it had good reviews and looked sharp from the spec page.

Matt Conrad
Friday, January 31, 2003

>> If you've got a router you probably don't need ZoneAlarm at all.  It should have a firewall build in.

Yes, that's true.  But after I bought my router (a Linksys BEFSR41), I read on the Navas Cable Modem/DSL Tuning Guide ( http://cable-dsl.home.att.net/ ) that it doesn't provide full protection.

So, ironically, my plan was to run ZoneAlarm only while I was doing development and had IIS or SQL Server running.

Maybe it still isn't an issue with the router firewall, but I did say I was networking-challenged, right? You can add security-challenged to that as well. So I tend to be conservative in these matters.

Networking-challenged
Friday, January 31, 2003

Hmm, that is the same Linksys I have.

I didn't see the Linksys vulnerabilities on the Navas website.  Can you be more specific on what alarmed you?

Also, I skimmed over part of your original request.  You can get your subnet mask with either "ipconfig /all" or "winipcfg" from the command prompt (depending on OS).

Matt Conrad
Friday, January 31, 2003

I assume that you're using NAT and using one of the RFC1918  address ranges (192.168/16, etc).

If that's the case, then you can pretty much set the network mask to anything you want, it's your network. As long as you observe the network address lengths specficed in RFC1918. E.g. if you're using 192.168/16 then you can use a netmask of 255.255.0.0 (but not 255.0.0.0). Most people just use 255.255.255.0 though (unless you're planning to have more than 256 computers in your house).

On the Zonealarm side of the issue, there is one thing that might be related. Zonealarm (at least, the non-enterprise versions) doesn't play well with servers running as windows services (I assume you're using windows). Basically, if a process is started up *before* zonealarm starts up, then zonealarm will block the process even if it is configured to allow access (and there is no way to set the services start up order).

So if you're starting SQL server as a service, try disabling this and starting it by hand after Zonealarm has started. This may or may not be related to your problem (and does rule out zonealarm for machines that are mainly intended as servers, Zonelabs sell other, much more expensive, products for servers).

Bill Tomlinson
Friday, January 31, 2003


And also, I think that it's a good idea to still run zonealarm (or similar product) on workstations even if you've got a firewall.

The reason is that zonealarm works on an application basis and will protect you against trojans. E.g. "hmm, why is the application superhaX0r.exe trying to send a message on port 80?" I don't think that a separate firewall will protect against these sorts of things (because the firewall program doesn't know what executable is trying to communicate).

Bill Tomlinson
Friday, January 31, 2003

Don't bother with all the troubleshooting. Connecting to SQL Server is done through a port. In other words the administrative tools etc always treat SQL Server as if it is running on a remote server. You could set SQL Server as a trusted application but I would STRONGLY recommend against it as last weekend's internet slowdown was as a result of a SQL Server worm. In the end you just have to live with it, trust your router, or set up a cheap little linux box as a further firewall.

Geoff in Vancouver BC
Friday, January 31, 2003

Thanks for the help, everyone.  Subnet mask 255.255.255.0 did the trick.

Matt, re:

>>
Hmm, that is the same Linksys I have.

I didn't see the Linksys vulnerabilities on the Navas website.  Can you be more specific on what alarmed you?
>>

Nothing alarmed me, per se.  The Linksys was just not on Navas' short list of recommended routers. The main things it lacks are stateful packet inspection and independent certification. I would guess this doesn't mean the Linksys products are all that bad, but there may be security loopholes.

Networking-challenged
Saturday, February 01, 2003

As somebody else pointed out SQL is listening.  In Enterprise mgr, you can disable listening on 1433 & 1432, and just connect through rpc or somesuch.

Crusty Admin
Saturday, February 01, 2003

*  Recent Topics

*  Fog Creek Home