How can router log messages get to a monitor program like Wallwatcher without needing to put the router IP into the software firewall's "trusted zone" which I would think would have the effect of disabling the software firewall? I have a Linksys BEFSX41 and free Zonealarm.
Good question. The answer is that the log records will be identified with the router's LAN IP address (probably 192.168.1.1). By contrast, packets arriving from the Internet will be identified with the remote IP addresses from which they originated. Although they pass through the router, they don't originate within the router, and packet header information distinguishes them from each other as well as from log records.
All of those addresses are in the packet headers, and are passed along to your computer, along with the information in their packets.
If a malicious remote site "spoofs" (falsifies) the address in the header so that it appears to be "192.168.1.1", the router's defences catch that, drop the packet, and create a log entry to report the blocked intrusion attempt. So, if the router's working properly (and it is), all packets that reach your computer claiming to have originated at "192.168.1.1" really did originate there.
When the software firewall on your LAN computer examines the packets, it looks at several things in their headers, including the originating addresses. If you placed "192.168.1.1" in the Trusted Zone, the firewall will allow those packets to pass. If a packet has an IP address that is not in the Trusted Zone, the packet will be blocked unless other information in its headers shows that it's a reply to a previous request made by an application on your computer (such as your browser or email program).
A logging program such as WallWatcher does not request log records from a router, it just passively waits for them to arrive. That means those log records are not replies, and that's why the router's LAN address has to be placed in the Trusted zone: otherwise, the software firewall will block them. (There are other ways to give permission, but the "zone" analogy is appropriate for ZoneAlarm.) The first time WallWatcher runs and a log record arrives at your computer, Zone Alarm will ask you whether WW should be allowed to receive that unsolicited log record. Unless you say "allow", WW will never be able to log anything.
Telling ZoneAlarm to always allow that kind of event does not grant WallWatcher other Internet privileges; all you've authorized is to let WW receive those log records from the router's LAN IP address.
Now, if you've asked WallWatcher to "Convert IP addresses to names" (on its LOGGING menu), WW will have to ask your ISP's DNS server to do the actual lookup, and will have to receive a reply to that request. In that situation, WW is originating Internet traffic, and Zone Alarm will ask you a second question: should this application be allowed to send things out to the Internet.
If you want to use the "Convert" option, the answer should be "always allow", but you can restrict what ZoneAlarm will allow WW to do: WW only needs to use port 53 to do DNS lookups, and only has to communicate with your ISP's DNS servers. It doesn't need permission to communicate with any other remote address, nor to use any other ports. By placing such limits, you can be sure WW will not be able to perform communications you don't think it should be allowed to make, and you will be able to use ZoneAlarm's own event logs to verify that WW isn't trying to make other contacts.
(There's a possible exception to that last limit: if you want to use WW's "Check for updates" option on the HELP menu, you'll have to tell your software firewall to let WW communicate with its website and retrieve a small file that contains the current version information. If you don't want to allow that, you can just browse to the website occasionally and see what's current.)
Thanks Dan. I should have prefixed my question with "Here is a dumb newbie question..." since I don't yet know what I'm doing and I didn't realize that the router address couldn't be spoofed. Also I don't really want much "trust" in my local network. I now see that you have quite a bit of readable help in the WW help files so I will read that today. Thanks for the lenghty answer.
So now ZoneAlarm is malware? Yes I am dumb about routers -- I've owned one and worked with one for exactly one day. Is it impossible to spoof a local IP? What purpose does a software firewall serve behind a hardware firewall? I thought it would still block the ports externally but I have to make the local zone trusted so the ports aren't blocked externally.
None, it's trivial if you just got a little clue about NAT. But if you really need a network sniffer, then try Ethereal.
Anyway, didn't you get the point? Without a big and deep comprehensive understanding of TCP/IP you cannot achieve any security through host-based packet filters or firewalls, no matter what certain colorful click-here-wizards wants to tell you.