2

When I create the Hello World example in C++ from The Guide on ZeroMQ found here: http://zguide.zeromq.org/page:all#Ask-and-Ye-Shall-Receive

and run the application, I get a Windows Security Alert that asks if I would like to allow the application to communicate on public or private networks.

It looks like this: Screenshot

Here is where things get interesting.

I only need my program to listen on port 5555 for connections from localhost and I do NOT need to allow incoming connections on port 5555. This is because I only want to communicate between applications on the localhost.

Client and server are both running on the same machine.

Here is my current process. I start the server, the Windows Security Alert comes up, since I am running the application as a non-administrator account, I only have standard permissions. Then I click Cancel on the Alert.

Clicking cancel on the alert puts an explicit deny inbound rule on all ports for HelloWorldServer.exe. This is totally fine.

Then I start the client. Since the client is connecting to the localhost. I actually does not need to send messages outside of the local machine, and all of its messages arrive at the server just fine.

Given an explicit deny rule on incoming connections to HelloWorldServer.exe, the messages can still arrive from the client on the local host. This is a desirable result.

Now the question becomes is there anyway to automatically respond to the Windows Security Alert to click cancel? Is there any way to suppress it from popping up since the allow is not needed?

The prompt is undesirable because it implies that the application needs to create a vulnerability when it does not.

Please assume that Named Pipes are not a valid alternative to tcp as a means of inter-process communication.

Eric S
  • 1,336
  • 15
  • 20
ComradeJoecool
  • 734
  • 6
  • 18
  • How have you bound the listening socket? Even though you intend only to use the socket with local host if you don't bind correctly it will allow remote connections as well and trigger the firewall. A useful write-up here: [understanding INADDR_ANY for socket programming - c](http://stackoverflow.com/a/16510000/4581301) – user4581301 Nov 08 '16 at 23:51
  • `socket.bind ("tcp://*:5555");` the complete example is at http://zguide.zeromq.org/cpp:hwserver – ComradeJoecool Nov 08 '16 at 23:56
  • Odds are good that the `*` means allow any address, local or remote. Give `socket.bind ("tcp://localhost:5555");` or `socket.bind ("tcp://127.0.0.1:5555");` a try to bind the port to local only traffic. – user4581301 Nov 09 '16 at 00:00
  • localhost causes a runtime error because ZeroMQ is expecting an address. However using 127.0.0.1 allows the program to run with standard privileges without trying to create a firewall rule. Success! Thanks a lot for the suggestion. Make an answer, and I will accept it. – ComradeJoecool Nov 09 '16 at 20:10

1 Answers1

3

When binding the socket the caller may specify the IP address the socket is bound to. The coding samples provided by ZeroMQ specify 

socket.bind ("tcp://*:5555");

where * appears to be specify all possible addresses (INADDR_ANY in BSD socket-derived parlance) which will trigger the Windows firewall as it allows remote and local addresses.

Calling socket.bind with the localhost address 127.0.0.1

socket.bind ("tcp://127.0.0.1:5555");

limits the sockets allowed to connect to the local machine and should silence the firewall warning for most Windows firewall configurations.

user4581301
  • 33,082
  • 7
  • 33
  • 54