Firewall issue with CGoban, KGS, Zonealarm

[JeetKuneGo]

Since updating to Java 7, I have been unable to log on to KGS.

CGoban works fine, but when attempting to log on to KGS, I get a message saying "can't connect to the server - the server may be down, please try again later"

I switched off my firewall (Zonealarm free firewall) to see whether this was a firewall issue, and it is, to some extent.

I had to set up an exception on windows firewall to allow the port (I think it's 2379). This solved the problem.

Obviously I am not going to wander round the internet with no firewall on, so this isn't a reasonable solution for me.

I suppose I need a new firewall, but would like to stick with what I have if possible...

Any input welcome.

[RobertJasiek]

1) Which operating system?

2) When you switched off your firewall for testing, did you revert your system to the state prior to doing so?

3) Yes, a [software] firewall is needed. Zonealarm? It is known to not protect well. If you use Windows, use its firewall!

4) Exception for Java / CGoban? It is indeed possible that you need some. Use your firewall's log to find out what you need.

5) Java 7 is known to have problems with CGoban. Both Java 6 and Java 7 are known to have - different - security issues. Java always has some. Therefore, simply using a firewall is insufficient precaution. If you use Windows, here are more ideas:
http://home.snafu.de/jasiek/windows_sec ... ncept.html
viewtopic.php?p=36505#p36505
Do not forget to deactivate Java in your browser and email client and check again after any program update for each user account.

[Phelan]

Since updating to Java 7, I have been unable to log on to KGS.

CGoban works fine, but when attempting to log on to KGS, I get a message saying "can't connect to the server - the server may be down, please try again later"

I switched off my firewall (Zonealarm free firewall) to see whether this was a firewall issue, and it is, to some extent.

I had to set up an exception on windows firewall to allow the port (I think it's 2379). This solved the problem.

Obviously I am not going to wander round the internet with no firewall on, so this isn't a reasonable solution for me.

I suppose I need a new firewall, but would like to stick with what I have if possible...

Any input welcome.

From http://senseis.xmp.net/?KGSIssueFirewall:

All you need is outbound traffic from your host to goserver.gokgs.com port 2379. The other ports are standard web server ports (if your firewall blocks them, then you're in trouble anyway).

Actually, port 80 *is* a problem: a browser will happily use a proxy, but CGoban doesn't have an option to.

[RobertJasiek]

Calling ports standard webserver ports misses the point. It depends on how strictly one's firewall rules are. If one has configured port 53 to communicate only with one's local provider's DNS server, then another port 53 rule can be necessary for KGS (and its site hosting the start screen ads). If one has allowed port 80 only for one's browser, email client and newsreader, then another rule can be necessary for KGS.

[JeetKuneGo]

Thank you for the replies guys. Sorry it took me a while to get back to you.
I did manage to resolve my problem by downloading a historic version of Java - 6.31 - which has avoided the issue.
Link is here: http://www.oracle.com/technetwork/java/ ... 01637.html
As far as I am aware, there is no other way to run CGoban other than with Java (Web Start) - is this correct?

Robert - I appreciate the help in the first post. If you wouldn't mind going through one or two of the points raised, that would be totes spiff. My answers in red:

1) Which operating system?
Windows 7

2) When you switched off your firewall for testing, did you revert your system to the state prior to doing so?
No. I simply closed the firewall program. This solved the problem

3) Yes, a [software] firewall is needed. Zonealarm? It is known to not protect well. If you use Windows, use its firewall!
I am disinclined to pay for a firewall, stupid as this may be. Do you have any reasons why Windows Firewall is preferable to ZA?

4) Exception for Java / CGoban? It is indeed possible that you need some. Use your firewall's log to find out what you need.
ZA is pretty lame, as you outlined above - can't create exceptions for specific ports or programs.

5) Java 7 is known to have problems with CGoban. Both Java 6 and Java 7 are known to have - different - security issues. Java always has some. Therefore, simply using a firewall is insufficient precaution. If you use Windows, here are more ideas:
http://home.snafu.de/jasiek/windows_sec ... ncept.html
Excellent - that's some homework for me!
viewtopic.php?p=36505#p36505
Too opaque for moi. But thanks
Do not forget to deactivate Java in your browser and email client and check again after any program update for each user account.
a) done b) don't use one at home - webmail only.
Thanks for the help

[Coyote]

Years ago when I worked at a cable internet support call center I spoke with a gentleman who couldn't connect to his vpn suddenly. He didn't have a firewall but he could contact everything but his vpn.

Turns out he had uninstalled Zone Alarm a week ago. Reinstalled Zone Alarm, completely disabled it, uninstalled. Now he can connect to his VPN. Since then I've always suggested people avoid ZA.

Windows Firewall is good enough. I've also been using the free windows AV, Windows Security Essentials for over a year now with good success.

[RobertJasiek]

2) When you switched off your firewall for testing, did you revert your system to the state prior to doing so?
No. I simply closed the firewall program. This solved the problem

But... you know that you are running a great risk?! Inbound firewall should always be active, even during tests. Therefore, the proper way was to revert your system together with applying a solution, i.e., activate the Windows firewall before again connecting to the internet.

Do you have any reasons why Windows Firewall is preferable to ZA?

Every security expert I have read during the last years has said a) the Windows Firewall is good and b) ZA is bad. (I have not bothered to collect citations for various evidence.)

[xed_over]

As far as I am aware, there is no other way to run CGoban other than with Java (Web Start) - is this correct?

No that's not correct. You can download and run the jar directly, but unless you already know how to run Java programs on the commandline, its probably easier to just stick with JWS

[RobertJasiek]

run the jar directly

But JRE must still be installed?

[quantumf]

run the jar directly

But JRE must still be installed?

Indeed

[quantumf]

Note also that your ADSL router (assuming you have one) will usually be running at least a NAT style firewall, which is a very effective first line of defense.

[JeetKuneGo]

Well, in the end the solution I went with was to go back to Java update 6.31, which worked fine, and inspired me to restrict Java's running in my web browser - which is positive in a way, as my browsing should be more secure, but still...

Not ideal, and I am looking in to which solution I should use with a new laptop, so thanks very much for the help, folks.

Toodles!