ZoneAlarm 2.1.10 and previous versions does not filter UDP packets with a source port of 67, which allows remote malicious users to bypass the firewall rules.
source: wwwsecurityfocuscom/bid/1137/info
Certain versions of Zone Labs personal Firewall have a vulnerability which allows malicious users to port scan the firewall without being detected In particular if the port scan originates from source port 67 on the attacking host the ZoneAlarm fails to register the attack
nmap -g67 -P0 -p130-1 ...