[RESOLVED] ZoneAlarm, Noscript, and blocking dangerous sites

[AndreH]

I am a Zonealarm Extreme V 10.1.079.000 user who has had endless problems trying to get the Web Security functionality and in particular "Site Checking" to work. The icon is always greyed out. This functionality is provided by the "Zonealarm Security Community toolbar" which ZA got Conduit.com to develop.

The "Site check" icon is Javascript.

What happens as Firefox starts up and loads the addons / toolbars is that the ZA Community toolbar makes a call to "conduit.com". Noscript intercepts / blocks this and places it in the "Recently Blocked sites" list. As my home page loads this list is cleared and I have no indication of that conduit.com was blocked. End result no site checking.

The solution was to add "conduit.com" to the allowed list which I am not really happy about. I would be happier with "zonealarm.conduit.com", that does not exit. Unfortunately ZA Support Chat operators have no direct feedback mechanism to report this to ZA, Conduit or NoScript developers.

I provide this a feedback to the developers involved.

Andre

Firefox 10.0.2
Win XP Sp3
ZoneAlarm Extreme Security version: 10.1.079.000
ZoneAlarm license key: xxxxxxx
vsmon version: 10.1.079.000
Driver version: 10.1.079.000
Anti-virus engine version: 8.1.8.79
Anti-virus signature DAT file version: 1079468416
AntiSpam version: 6.3.1.4971
ZoneAlarm Browser Security: 1.5.359.0
ZoneAlarm ForceField Spyware Scanner: 1.5.53.235
ZoneAlarm ForceField Anti-Phishing Database: 1.2.104.0
ZoneAlarm ForceField Spyware Sites Database: 04.155

[Tom T.]

What happens as Firefox starts up and loads the addons / toolbars is that the ZA Community toolbar makes a call to "conduit.com".

With a Conduit-powered Community Toolbar, your site will never be out of sight. It's the brilliantly simple solution that 260,000 publishers use to engage users on their browsers. And it's more necessary than ever, as the web pulls your users everywhere but your site. The Community Toolbar keeps your users fully engaged with the best of your content wherever they may be surfing. A constant connection that means you're top of mind and top of screen.

I still use ZoneAlarm Home Free version, precisely because it doesn't have this kind of sell-out junk. (IMHO. YMMV.)

Firefox offers site-checking, under Tools > Options > Security > "Block reported attack sites" and "Block reported web forgeries". But you're still allowing a third party to see, and track, every site you visit.

See the new feature at the bottom of FAQ: "What Is A Trusted Site?", in which NoScript will help you check anything in the menu against several site-rating services, and without a constant connection to --- anyone.

Noscript intercepts / blocks this

Thank you, NoScript!

The solution was to add "conduit.com" to the allowed list which I am not really happy about. I would be happier with "zonealarm.conduit.com", that does not exit. Unfortunately ZA Support Chat operators have no direct feedback mechanism to report this to ZA, ..."

Doesn't ZA, or their parent company, still have a user forum, similar to ours?

In any event, from the above snippet taken from conduit.com, you'll always have a background connection running to conduit. And I don't think that they'll let that be restricted, since they're trying to make money from the data so gathered.

I provide this a feedback to the developers involved.

And I have provided my own personal opinion, based on a more than a decade of using ZA, years of using NoScript, and three years of doing support for it.
I hope you find it of some value. Others may have different opinions, of course.

If you get a reply at the ZA forum, it would be of interest to post here.
Cheers.

[AndreH]

Unfortunately the ZoneAlarm forum is very heavily moderated, so if you ask difficult questions they never appear on to the forum. So this makes it very difficult to provide feedback about "conduit.com" tracking and getting other users involved. ZA forum is for basic hand holding and not for product development. I will trying ZA Support Chat again.

But you're still allowing a third party to see, and track, every site you visit.

Point taken.

Andre

[Tom T.]

Unfortunately the ZoneAlarm forum is very heavily moderated, so if you ask difficult questions they never appear on to the forum.

Our forum is "very heavily moderated", in terms of spam (zero tolerance; immediate banning), hate speech, etc. But I don't think we shy away from difficult questions. That is the best way to improve the product. It's unfortunate that ZA doesn't see it that way.

But you're still allowing a third party to see, and track, every site you visit.

Point taken.

May I suggest -- just for your consideration -- a method of site vetting that does *not* involve contacting any remote party, at least in real time?

The Windows HOSTS file can be used to block any attempt to connect to a given named site. A number of providers offer this service for free.

I have used http://www.mvps.org/winhelp2002/hosts.htm for many years, and been satisfied. It currently lists more than 16,000 reported (and presumably, verified) sites ranging from mere annoyance, to privacy invasion, to actual malware. Updated about once a month, with contributions from the community.

You save time and bandwidth, because if, for example, I type www dot doubleclick.net in the browser bar, Windows by default looks in the local HOSTS file before bothering to do a DNS lookup through your ISP or whomever you have configured as your DNS provider. When it finds a match -- which points to a non-existent numerical IP address -- I immediately get a "can't connect" message, and the request never even had to leave the machine.

Some things to consider:

1) Not everyone agrees with the use of Hosts file in this manner, although I've never seen an objection that would apply to the average home user, especially with the below changes.

2) Most of these providers redirect the forbidden destinations to 127.0.0.1, the "localhost" or "loopback address" of the machine itself.
Please see http://hackademix.net/2009/07/01/abe-wa ... where-omg/, in which Giorgio Maone advises that it is preferable to change the redirect destination to 255.255.255.0, or perhaps 0.0.0.0.

The fastest way to do this is to open the Hosts file with Wordpad. In XP, it should be in C:\WINDOWS\system32\drivers\etc
Or just do a Search for hosts, with Advanced options "Search hidden", "Search subdirectories", and "Search system files"

Once open, do a Find-Replace.
Find 127.0.0.1, Replace with 0.0.0.0 (or the other). This takes about 15 seconds.

When done,
Go back to the very first entry, which must *always* be localhost, and correct it back to its default:

Code: Select all

127.0.0.1  localhost

Save and exit. Done.

3) You may edit other entries, deleting any that you don't want blocked, or adding ones that you'd like blocked.
For example, I add

Code: Select all

0.0.0.0  www.yahoo.com

because I use Yahoo mail, but don't like the annoying redirect to Yahoo's home page every time I log out of email.

Remember that all such additions must be *below* the localhost entry.

Again, just a personal thought. IMHO. YMMV. But you do not need to *connect* to the provider to vet the sites for you. The list is stored locally, and you visit the site only for the updates. They have no way of knowing anything about your browsing habits.

Cheers -
Tom

[GµårÐïåñ]

I would only elaborate on one caveat to what @Tom has elegantly explained in detail that in 99%+ of the cases, the host file is set to read-only. So when you open and modify it, it will not allow you to save it back to itself. I would recommend before making changes to it that you [Right-Click|Properties|Uncheck Read-Only|Apply or Ok] THEN make your changes and repeat the given process to re-protect its read-only status.

Also, although the system is SUPPOSED to check the host file each time, there are many circumstance, albeit not often for regular users, that the host file is skipped, so don't put ALL your eggs in one basket, offset this protection with another layer if you can, such as using a super fast, backbone linked DNS server that is often pretty immune to injection to resolve things for you. I would recommend using DNS Nameserver Spoofability Test to evaluate your existing servers, probably assigned to you by your ISP, usually bad idea. And further benchmark and check your options using Domain Name Speed Benchmark to find a better DNS server that resolves faster in your area and is more secure, and manually override your ISP assigned servers with those to diversify your protection.

Another heads up that I would like to put out there for the sake of being thorough, if the host file gets UNUSUALLY large, you can suffer great performance degradation, specially if you are using 127.0.0.0 as eluded to by Tom, will get to that later, keep that in mind. Also something people don't realize, the slower your DNS server, the slower your connection, no matter how much "bandwidth" you got, so another thing to consider when picking a DNS server. Benchmarks have shown between 0-500 entries in the host file, its negligible, above that up to 3000 is fairly noticeable, but not earth shatteringly so, and anything beyond that and you will see a distinct pause in request/response simply because the more entries you got, the longer it will take for the system to "check" against it.

Now picking a loopback address, aka such as 127.0.0.0 which is considered your localhost address, is very important also. If you have a local web server, whether you realize it or not, intentionally or not with the WWW service active, you will be ACTUALLY processing those requests, although it will probably fail and that will not only slow down your machine but also cause huge delays. Using other loopback addresses such as 0.0.0.0 normally would not be an issue but in networking its known as an ultimate or failsafe route, which means it will send everything to your router, not always a good thing depending on your configuration. Using broadcast addresses like 255.255.255.0 which also happens to be the subnet mask in most cases normally works fine too but keep in mind that also gets processed by the router. If your router is being flooded with too many requests, given the architecture of networking that requires each TCP request be given an ACK (acknowledgement response) you will be killing your router's performance. In fact it is a given fact that 25-33% of all your bandwidth is consumed with ACK traffic, simply acknowledgements, such as I got the packet, I sent the packet, I got the packet, I sent the packet, you get the idea. So if you flood your router with unnecessary broadcast traffic and require it to have to acknowledge them and then drop them, it will affect your network noticeably. If you were to designate say a fixed private ip that is not actually used by anything, then you are created a dead zone drop, that would be preferred, sort of where packets go to die scenario.

Say you have the typical 192.168.1.0 with subnet of 255.255.255.0 (aka CIDR/24) giving you 256 addresses, two being unusable as the .0 is your network address and the last one .255 is your broadcast ip, the middle is the range you can ACTUALLY use. Keep in mind that as in arrays in programing, networking uses 0 as the first number, so 0-255 actually = 256 as if it was 1=256, just in case any confusion there. Most people just enable DHCP and get their IP from it and move on, some of us will hard code IP for management purposes, whatever the case, just assign a IP in the range that you know you will never use or reach, meaning there will never be a device with that IP assigned, and use that. It will put a smaller load on your router, specially if in the NAT table you assign it as a dead IP and all packets will just go and die, no ACK required. Just a little extra, if you are technically inclined to mess with it. If not, then just use the suggestions given by Tom and you'll be hopefully no worse for the wear. Good luck.

[Tom T.]

I would only elaborate on one caveat to what @Tom has elegantly explained in detail that in 99%+ of the cases, the host file is set to read-only. So when you open and modify it, it will not allow you to save it back to itself. I would recommend before making changes to it that you [Right-Click|Properties|Uncheck Read-Only|Apply or Ok] THEN make your changes and repeat the given process to re-protect its read-only status.

I don't remember ever having to do that, through three machines, two different OS's, and many updates of the Hosts file. If I ever did, the change must be sticky even though the new file is swapped, not overwritten, for the old one. Some firewalls and AV offer to lock your Hosts file for you.

Also, although the system is SUPPOSED to check the host file each time, there are many circumstance, albeit not often for regular users, that the host file is skipped,

Could you please give some examples?

so don't put ALL your eggs in one basket, offset this protection with another layer if you can, such as using a super fast, backbone linked DNS server that is often pretty immune to injection to resolve things for you. I would recommend using DNS Nameserver Spoofability Test to evaluate your existing servers, probably assigned to you by your ISP, usually bad idea. And further benchmark and check your options using Domain Name Speed Benchmark to find a better DNS server that resolves faster in your area and is more secure, and manually override your ISP assigned servers with those to diversify your protection.

O/T to the issue of vetting for evil sites, unless you know of a safe, reliable, free DNS that does similar vetting, in which case, of course please tell us.
But in general, Gibson's testing is great. I'm one of the lucky ones - my ISP ranks high in spoof-prevention and speed.

Another heads up that I would like to put out there for the sake of being thorough, if the host file gets UNUSUALLY large, you can suffer great performance degradation,.... above that up to 3000 is fairly noticeable, but not earth shatteringly so, and anything beyond that and you will see a distinct pause in request/response simply because the more entries you got, the longer it will take for the system to "check" against it.

Never noticed the difference with 16,000 host entries versus the default file, given the issues of ISP congestion, destination server congestion, and general Internet congestion. And more than offset by *not* having to send queries for the ad agencies, data-miners, etc. that are blocked in Hosts, and hence require no remote DNS lookup.

Now picking a loopback address, aka such as 127.0.0.0 which is considered your localhost address, is very important also. If you have a local web server, whether you realize it or not, intentionally or not with the WWW service active, you will be ACTUALLY processing those requests, although it will probably fail and that will not only slow down your machine but also cause huge delays. Using other loopback addresses such as 0.0.0.0 normally would not be an issue but in networking its known as an ultimate or failsafe route, which means it will send everything to your router,...

Not sure I'm following you. We're not changing the default loopback address; we're just mapping evil sites to a non-existent address.
Please keep in mind that we're talking about average home users here, not someone like yourself who is running a business and a web server.

These lookups only happen each time you visit another site, so even if they make it to the router, it doesn't seem like that's "flooding" the router.

Say you have the typical 192.168.1.0 with subnet of 255.255.255.0 (aka CIDR/24) giving you 256 addresses, two being unusable as the .0 is your network address and the last one .255 is your broadcast ip, the middle is the range you can ACTUALLY use. Keep in mind that as in arrays in programing, networking uses 0 as the first number, so 0-255 actually = 256 as if it was 1=256, just in case any confusion there. Most people just enable DHCP and get their IP from it and move on, some of us will hard code IP for management purposes, whatever the case, just assign a IP in the range that you know you will never use or reach, meaning there will never be a device with that IP assigned, and use that. It will put a smaller load on your router, specially if in the NAT table you assign it as a dead IP and all packets will just go and die, no ACK required. Just a little extra, if you are technically inclined to mess with it. If not, then just use the suggestions given by Tom and you'll be hopefully no worse for the wear. Good luck.

Still not following. Yes, most people get their IP from their ISP, but what has that to do with mapping evil sites to a *non-existent* IP address? -- which your ISP can't possibly assign to you?

Would you suggest mapping the forbidden sites to, say, 192.168.255.255, which matches the router on the first two, but is non-existent on the last two? What would the effect be?

I can speak only from my own experience, but i see no "increased wear". Thanks as always for your input.

[dhouwn]

Now picking a loopback address, aka such as 127.0.0.0 which is considered your localhost address, is very important also.

You surely meant 127.0.0.1

Using other loopback addresses such as 0.0.0.0 normally would not be an issue but in networking its known as an ultimate or failsafe route,

0.0.0.0 is not a loopback address, it's the wildcard or "any" address. I was under the assumption that it makes no sense as a destination address. First time I hear that "it[']s known as an ultimate or failsafe route".

Using broadcast addresses like 255.255.255.0 which also happens to be the subnet mask in most cases

That's not a valid broadcast address but just a subnet masks and subnet masks are quite different from broadcasts addresses.

Could you please give some examples?

I heard of certain Microsoft applications doing that under Windows (the connection checker, WU?).

Never noticed the difference with 16,000 host entries versus the default file

Depends on how the storage/lookup is implemented. If it's implemented well, then it should scale good enough.

[Tom T.]

Could you please give some examples?

I heard of certain Microsoft applications doing that under Windows (the connection checker, WU?).

It wouldn't be surprising that the OS itself doesn't want its update site mapped anywhere else, either deliberately, accidentally, or maliciously.

Never noticed the difference with 16,000 host entries versus the default file

Depends on how the storage/lookup is implemented. If it's implemented well, then it should scale good enough.

It's a simple text file of the Notepad.txt type, about 600 K. It's one of those uncommon files that has no extension, but by default (2-click), it opens with Notepad. Very little overhead in .txt.

I just benchmarked ping to www.example.com, with the 16,000-entry Hosts and with the default, single-entry Hosts (nothing but the loopback listing).
Either way, times consistently averaged 38-39 ms. So there is no discernible overhead, unless you want to go to millionths of a second.

[AndreH]

Tom wrote:
I have used http://www.mvps.org/winhelp2002/hosts.htm for many years, and been satisfied.

I have been using SpyBot Hosts file, will checkout MVPS and the suggestion of using 255.255.255.0 as the redirect.

GµårÐïåñ wrote:
I would recommend using DNS Nameserver Spoofability Test to evaluate your existing servers, probably assigned to you by your ISP, usually bad idea.

I will try this test against my current DNS supplier "OpenDns.com" vs my ISP. Any comments on OpenDNS?

Current layers of protection:
Hosts file
OpenDNS (with all its filtering options) will do some testing with GRC
ZoneAlarm Site checking with questionable links to conduit.com

Thanks for the in depth discussion. A bit of work to do.

[Tom T.]

I have been using SpyBot Hosts file, will checkout MVPS and the suggestion of using 255.255.255.0 as the redirect.

I used to use Spyware Blaster, until I realized that it was just a pretty GUI for a Hosts file of this type. Nothing wrong with that, of course. If SpyBot Hosts is more comprehensive or more frequently updated, then very good. If it doesn't equal MVPS, then there's a reason to switch. As noted, there are a number of providers of blocking Hosts files. I was happy with the first one I discovered, but if you shop around and have comments on the others, do feel free to post them here.

Any comments on OpenDNS?

I have never looked into it, since as said, my ISP passed the tests very well.

Thanks for the in depth discussion. A bit of work to do.

You're very welcome.

Would you object to my editing the title of this topic to "ZoneAlarm / Noscript -- Blocking dangerous sites", because it has in fact gotten to that level, far beyond the original topic? ... and would then be of interest to more users, who don't use ZA and therefore think the thread would not be of interest to them. Or edit it yourself, if you agree.

Otherwise, I should probably split off the discussion once we got past the conduit.com issue, and move it to Forum Extras > Security, because it's no longer a NoScript question.

[dhouwn]

Depends on how the storage/lookup is implemented. If it's implemented well, then it should scale good enough.

It's a simple text file of the Notepad.txt type, about 600 K. It's one of those uncommon files that has no extension, but by default (2-click), it opens with Notepad. Very little overhead in .txt.

With storage I meant the storage in memory not on the disk. The file is read once, its values stored in an appropriate data structure and whenever an application does a name resolution (using the OS APIs) a lookup on the data in the memory is done.

I just benchmarked ping to www.example.com, with the 16,000-entry Hosts and with the default, single-entry Hosts (nothing but the loopback listing).
Either way, times consistently averaged 38-39 ms. So there is no discernible overhead, unless you want to go to millionths of a second.

The ping application just does the name resolution once and does not include it into the delay value it displays you (because that's not part of what it's supposed to measure). You would have to measure the time for the API calls for name resolution, maybe you could also use nslookup and a stopwatch for that.

[GµårÐïåñ]

Yes I mean 127.0.0.1, the last zero was a typo and yes 127.0.0.1 IS indeed a loopback address referring to the system itself whether you have the default localhost association to it or not. The vetting process was intended for the user but yes some BACKBONE (or major node DNS providers) are pretty spoof proof and since they only handle the major IP ranges for each block, they tend to be vetted by proxy and practice of implementing resolution, the issue tends to be with the lower level DNS servers that use propagation to "learn" the resolutions and don't actually "maintain" them. 0.0.0.0 is not a loopback but known as the absolute network address of the routing device, therefore it is the ultimate route and considered default route, meaning all else fails, send it to the router and have it find a way out. You can look it up if you have never heard of it, may I suggest Juniper/Cisco level network training. 255.255.255.0 as I already stated is the /24 subnet mask, but also part of the reserved broadcast IPs owned by the national ip networking institute research division. Feel free to read up on it, Network Name: SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED, Owner Name: Internet Assigned Numbers Authority, From IP: 240.0.0.0 To IP: 255.255.255.255. If you don't know something and don't want to take someone's word for it, google it. As for the lack of understanding as to what 0.0.0.0 does, take a look at any router's static route table and you'll see something like this, if you don't get what it means, again google it.

Code: Select all

Subnet IP 		Subnet Mask 		Gateway 		Interface 	
127.0.0.1 		255.255.255.255 	127.0.0.1 		lo0 		        (loopback address)
192.168.x.x 	255.255.255.255 	192.168.x.x 	bridge0 		(this is the address of your router)
69.x.16.x 		255.255.255.255 	69.x.16.x 		ppp0 		(ISP assigned IP address)
69.x.31.x          255.255.255.255 	69.x.16.x 		ppp0 		(ISP assigned)
69.x.16.x 		255.255.255.255 	69.x.16.x 		bridge0 		(ISP assigned - external IP bridge)
192.168.1.0 	255.255.255.0 		192.168.1.x 	bridge0 		(private range of your network - 0 means network address)
127.0.0.0 		255.0.0.0 		        127.0.0.1 		lo0 		        (oh heavens, another loopback with a wider IANA broadcast mask)
0.0.0.0 		0.0.0.0 		        69.x.31.x 		ppp0                 (holly shit, the 0.0.0.0 being the ultimate route to your external IP)

formatting looks good in reply but looks like crap in end-result, this is as good as it will get, I am not going to waste more time on it, you get the idea.

[Tom T.]

The ping application just does the name resolution once and does not include it into the delay value it displays you (because that's not part of what it's supposed to measure). You would have to measure the time for the API calls for name resolution, maybe you could also use nslookup and a stopwatch for that.

Sorry, I'm just not that motivated. Browsing (not just pinging) with or without the extensive Hosts file doesn't produce a user-discernible difference; whatever small delay *might* be added gets lost in the noise of variability of ISP congestion (shared Ethernet), Internet congestion, destination server congestion, etc.

From the source:

In case you're wondering ... this all happens in microseconds, which is much faster than trying to fetch a file from half way around the world. <snip>

Editors Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine.

To resolve this issue (manually) open the "Services Editor"

* Start | Run (type) "services.msc" (no quotes)
* Scroll down to "DNS Client", Right-click and select: Properties - click Stop
* Click the drop-down arrow for "Startup type"
* Select: Manual (recommended) or Disabled click Apply/Ok and restart. [more info]

When set to Manual you can see that the above "Service" is not needed (after a little browsing - when set to Manual) by opening the Services Editor again, scroll down to DNS Client and check the "Status" column. It should be blank, if it was needed it would show "Started" in that column. There are several Utilities that can reset the DNS Client for you ...

I'm sure that I disabled the DNS client when first I started to use this. But it's good that you brought it up, in case any users who go this route do experience a lag in response time.

That same page gives work-arounds for those who need this Service to run because they are part of a Domain. My advice is presumed to be directed to typical home users unless otherwise stated.

As for the lack of understanding as to what 0.0.0.0 does, take a look at any router's static route table and you'll see something like this, if you don't get what it means, again google it.

Sorry, Brother, this is what I get from the basic Linksys WRT54:

Router table

IP Address: x.x.x.x (my current WAN IP)
Subnet Mask: 255.255.255.128
Default Gateway: .x.x.x.x
DNS 1: (two IP addresses of the DNS servers, as set by the ISP)
DNS 2:

Client table:

MAC Address: aa.bb.cc.dd.ee.ff
IP Address: 192.168.1.1 (router LAN address for administration)
Subnet Mask: 255.255.255.0
DHCP Server: Enable (required by my ISP)
Start IP Address: 192.168.1.100
End IP Address: 192.168.1.149 (user-configured to accomodate no more than 50 devices, though it could be greater)

And the LAN IP of this particular device: 192.168.1.101

No 0.0.0.0 *anywhere*. So there's no reason that the machine would send packets to the router.

I believe that your information is based on the fact that you run a web server from your home or office or whatever, as per your publicly-available profile. I've never run a web server; you could be right about 0000 in such cases. Again, though, I am a basic home user, addressing similar home users who might have a LAN, but no publicly-available web server (disregarding online gaming, IM, and some other apps that sometimes make the machine behave like a server in some regards).

I've been using that Hosts provider for a decade or so. Never had a problem, even with the original redirect to the loopback. Of course, now one can see from the ABE FAQ that some web sites are making use of 127.0.0.1. I don't like that personally, but I don't use such sites. After the discussion @ Hackademix, I changed the redirect to 0.0.0.0 and have never had a problem. IMHO. YMMV.

[dhouwn]

yes 127.0.0.1 IS indeed a loopback address referring to the system itself

Indeed, all from this range are.

You can look it up if you have never heard of it, may I suggest Juniper/Cisco level network training.

Actually I used to have the chance of doing some Cisco networking certification (CCSNP or something like that?) for a "special" price that still wasn't worth losing another thought over at this time.

255.255.255.0 as I already stated is the /24 subnet mask, but also part of the reserved broadcast IPs owned by the national ip networking institute research division. Feel free to read up on it, Network Name: SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED, Owner Name: Internet Assigned Numbers Authority, From IP: 240.0.0.0 To IP: 255.255.255.255.

Yes, this is reserved used to be class E in the class architecture but AFAIK not for broadcasts.

As for the lack of understanding as to what 0.0.0.0 does,

It means one thing as a network address, another thing as an endpoint address. I still believe as an endpoint address it makes no sense and therefore is perfect as a "black hole" IP in the hosts file (which is there to map hostnames to endpoint addresses, not networks).

formatting looks good in reply but looks like crap in end-result, this is as good as it will get, I am not going to waste more time on it, you get the idea.

Still thanks for the effort.

No 0.0.0.0 *anywhere*. So there's no reason that the machine would send packets to the router.

In the terminal enter "route print", as a network address there it means indeed "any address" in this case, I guess this is what Guardian meant, still as a destination address it makes no sense and is AFAIK handled this way.

[Tom T.]

As for the lack of understanding as to what 0.0.0.0 does, <snip>

It means one thing as a network address, another thing as an endpoint address. I still believe as an endpoint address it makes no sense and therefore is perfect as a "black hole" IP in the hosts file (which is there to map hostnames to endpoint addresses, not networks).

Agree, and use that philosophy in my Hosts.

No 0.0.0.0 *anywhere*. So there's no reason that the machine would send packets to the router.

In the terminal enter "route print", as a network address there it means indeed "any address" in this case, I guess this is what Guardian meant, still as a destination address it makes no sense and is AFAIK handled this way.

I'm not following you. In what "terminal"? I do not use Terminal Server. Just a home router, printers, etc. and two wireless laptops. Command line does not recognize that command. I don't know where in the router's Admin page this would be entered. If you're familiar with the Linksys WRT54 series, I'm game to try.