Hello Stem, or other packet filters expert here. I started to play around and use CHX-I v.3 for 3 months. I created some rules and using some from the CHX threads here. I only enable my LAN file sharing rules when needed.
As I know Stem and some of the packet filters expert here are knowledgeable and help a lot of users here with firewall configuration, maybe you can help me if my rules is overlap, or need extra tightening.

Hello incursari,
You would need to post a copy/printout of your ruleset.

Hello Stem, alrite nice to see you here. How could i send you the .zip rulesets?

You could upload to Rapidshare (http://www.rapidshare.com/), then either post the link on thread if you would like feedback from the forum, or you could PM the link to me.

{QUOTE-> You could upload to Rapidshare (http://www.rapidshare.com/), then either post the link on thread if you would like feedback from the forum, or you could PM the link to me. <-QUOTE}
Done. Check your PM.

Hello incursari,

The rules look OK, you have bound the DNS servers and made restrictions on the local ports in use.
The only way to tighten would be to restrict the remote ports in use, such as for HTTP/S etc. But this would depend on the software you use.

Thanks for the help.
{QUOTE-> Hello incursari,

The only way to tighten would be to restrict the remote ports in use, such as for HTTP/S etc. But this would depend on the software you use. <-QUOTE}
Do i need conditional rules for this? If yes, how to do it effectively?
And 1 more things, could you provide me FTP rules (Active/Passive) samples as i am little bit confuse about this. Does FTP rules need conditional?

It does depend on how tight you want to be with the rules, and does depend on what software connects out to what ports etc.

You can add rules for collecting/sending mail, and bind these to your mail servers.(the remote ports used would depend on how the mail is sent/collected, POP3 / IMAP etc)
For basic HTTP/s (remote ports 80/443), these would need to be open on IP`s used, unless you are very restrictive in your surfing. Do remember, you can add blacklists (bad IP ranges) into CHX via the IP lists.
For FTP, you should try and keep to passive (no inbound connections). There is an option in the NIC properties (where you set SPI) for passive/active FTP, so this does mean for example, if you enable allow passive FTP, you only need to allow outbound to remote port 21 (all other ports needed would be allowed with that option enabled, but the ports only allowed while the remote port 21 was connect to)

The above rules would replace the open "udp_tcp no syn" rule you currently have in place, and you may need more rules than the above examples.

So it is really down to yourself on how tight a ruleset you want.

OK thanks for the info, I will play around with the outbound and do some testing. Anything I need help will come back again to this thread.8)

{QUOTE-> OK thanks for the info, I will play around with the outbound and do some testing. Anything I need help will come back again to this thread.8) <-QUOTE}
Also, another way to share the ruleset is to take a screenshot with all your rules on display, and a screenshot of the settings for your LAN card, and a screenshot of your logs if you are experiencing problems, then everyone can help ;D

Cheers,

Alphalutra1

{QUOTE-> Also, another way to share the ruleset is to take a screenshot with all your rules on display, and a screenshot of the settings for your LAN card, and a screenshot of your logs if you are experiencing problems, then everyone can help ;D

Cheers,

Alphalutra1 <-QUOTE}
Alrite will post here after playing around with the outbounds.

Hello incursari,
{QUOTE-> Alrite will post here after playing around with the outbounds. <-QUOTE}Yes, it would be helpful, not only to yourself, as others can also make comment give advice (as there are members who know CHX as well, if not better than myself), but also for the members/users to see a (users) ruleset for CHX, and see the comments and suggestions made.
Of course if you are concerned about certain info, such as MAC address~ server/personal IP`s etc, then remove these from the screen_capture image.

OK here I come again. Stem, Alphalutra1 and others please to comments on my inbound/outbound rules if I miss anything there. I can’t post all the rules screen shots cause there are quite numbers of them, I post the link for the rule sets.

CHX rule sets (http://rapidshare.com/files/25416011/CHX_incursari2.rar.html)

189055

Hello incursari,

I have taken a quick look at your new ruleset. I see you are now filtering in both directions.

I will just make quick comment for now (to allow me time to check over your rules fully, and to give time for other feedback)
You have in place a number of outbound filter rules, to restrict the local/remote ports used, but then you have an outbound rule to allow "udp_tcp out `not syn`" for any IP/port. this, although it will not allow outbound connections (syn packets) it will allow all outbound UDP.

You do have a number of rules to block "spoofed" IP`s, I would suggest that you create an IP list for these (I can post info on how to do this later, if required), so then you would only require 1 rule (just for a clean up/easier to manage more than anything)

Sorry I can't do any commenting, but I don't have CHX-I installed (or windows for the matter) on this pc, so I am unable to view the rules in the .sfd format. If you could take a screenshot of your rules, then I could contribute to helping with your ruleset.

Cheers,

Alphalutra1

Hi Alphalutra1,

I was just thinking of what you post,... I will post pic of ruleset(as these are now for open viewing), just give me a few minutes............


I sorted rules into allow/deny

click image to enlarge
189059

I had a cursory glance (I am writing a paper :gack: ), but I noticed that you misnamed two of your ICMP OUT rules, switching the 0 with the 8 and vice versa.

As Stem said, grouping the IPs together in a list would definitely simplify it a lot. For example, you can combine the DNS servers together in one list, the Spoofed addresses in one list, etc.

Also, for some of the ICMP's that you created rules to allow in, many of the rules are already covered due to the pseudo-SPI for the ICMP in your LAN card settings, so you can disable those rules and see what gets blocked in your logs to see if any aren't covered by the pseudo-SPI (I think all of them are covered, but if you ever want to all type 8 (normal echo), then you might have to force allow it, I am not sure).

In addition, I don't think that extra allow all rule is really necessary, because I think that all of your other outbound rules will cover everything.

I had an outbound setup going for a little while with CHX-I, you can see it in this (http://www.wilderssecurity.com/showpost.php?p=679124&postcount=2) post, but I do not know if it covers all the bases since I got rid of all the outbound rules after I found myself turning all of them off for gaming since it was too difficult to create rules for every single thing that the game tried to use (tens to hundreds of random ports).

Cheers,

Alphalutra1

{QUOTE-> You have in place a number of outbound filter rules, to restrict the local/remote ports used, but then you have an outbound rule to allow "udp_tcp out `not syn`" for any IP/port. this, although it will not allow outbound connections (syn packets) it will allow all outbound UDP. <-QUOTE}
So this rule "udp_tcp out `not syn`" not necessary? Or can i just remove this?

{QUOTE-> I had a cursory glance (I am writing a paper ), but I noticed that you misnamed two of your ICMP OUT rules, switching the 0 with the 8 and vice versa. <-QUOTE}
Oh yeah I notice that, already edit it.

{QUOTE-> As Stem said, grouping the IPs together in a list would definitely simplify it a lot. For example, you can combine the DNS servers together in one list, the Spoofed addresses in one list, etc. <-QUOTE}
Ok i will group it later on.


{QUOTE-> Also, for some of the ICMP's that you created rules to allow in, many of the rules are already covered due to the pseudo-SPI for the ICMP in your LAN card settings, so you can disable those rules and see what gets blocked in your logs to see if any aren't covered by the pseudo-SPI (I think all of them are covered, but if you ever want to all type 8 (normal echo), then you might have to force allow it, I am not sure).
<-QUOTE}
I don’t quite understand about this. You mean I just need to use one outbound rule “Allow (Deny all except)” for ICMP?

{QUOTE-> In addition, I don't think that extra allow all rule is really necessary, because I think that all of your other outbound rules will cover everything. <-QUOTE}
This "udp_tcp out `not syn`"? So what your suggestion?

{QUOTE->
I don’t quite understand about this. You mean I just need to use one outbound rule “Allow (Deny all except)” for ICMP? <-QUOTE}
Not really, more like you can get rid of all the Incoming allow filters for your ICMP's since they should all be covered by the pseudo-SPI for ICMP. The way it works is that once your pc sends a certain ICMP to a server, for a set period of time, it will allow the ICMP's that respond back to come in, but then they will be blocked.

{QUOTE->
This "udp_tcp out `not syn`"? So what your suggestion? <-QUOTE}
Get rid of it. Everything should still work how you have set it up.

Cheers,

Alphalutra1

Just to confirm:

For example, with ICMP. A default rule can be put in place, this could be "allow all ICMP inbound (or outbound)" you do not need both directions filtered, for the rule to work correctly, you need to ensure that the ICMP stateful inspection is enabled.

You can make a simple check on this yourself.

Remove all the allow inbound ICMP rules you have in place, ensure you have a rule that will allow outbound pings, then ping your router. The replies will be allowed to the outbound.

OK I removed all filters for inbound ICMP. I can’t ping my router. After I just create only one filter for ICMP “In: **ICMP (Stateful ON)” then I can ping my router or internet. Is this the right directions? I will post the logs later on if anything get block.

So this my new rule sets.

{QUOTE-> OK I removed all filters for inbound ICMP. I can’t ping my router. <-QUOTE}This will be due to the other "allow inbound" rules. Do realise that when you place a rule to allow, then all else is blocked (as the rules states "Allow(deny all except)" and can/does cause problems.

It is now time for use to go through all the rules, and remove un-needed, and set any others rules that may be required for your setup.

First, we need to decide on the direction of filtering. It is easier/ with less problems to filter in one direction. Myself, I filter on outbound, with just some inbound blocking rules. (with default rules (such as wan_start)), these filter inbound with allow all out)

I will also need some more info on your current setup. From your rules I see you are behind a router.
As you have a deny "Landattack" rule in place, are you on a fixed IP? (a need, or not for a DHCP rule)

Rules for netBios, which you mentioned you disable/enable when needed, can be changed and bound to your LAN(and/or specific hardware)

So basically, for now, I just need to know
1. Which direction you want to filter
2. Are you on a fixed IP

We can then work through the changes step by step.

{QUOTE->
......
I had an outbound setup going for a little while with CHX-I, you can see it in this (http://www.wilderssecurity.com/showpost.php?p=679124&postcount=2) post, but I do not know if it covers all the bases since I got rid of all the outbound rules after I found myself turning all of them off for gaming since it was too difficult to create rules for every single thing that the game tried to use (tens to hundreds of random ports).

Alphalutra1 <-QUOTE}

In Alphalutra's link I find the first rule about Loopback. I have not found any different when I add it or delet it. Is it necessary?
This is my current rule:

@woobook,

I have found that CHX does not intercept loopback(on my setups/hardware). Rules to intercept this (127.0.0.0/255.0.0.0) do not,in fact work. This is for V2.8 or V3.0

{QUOTE->
So basically, for now, I just need to know
1. Which direction you want to filter
2. Are you on a fixed IP
We can then work through the changes step by step. <-QUOTE}

Stem, yes i am behind the router.
1. I want to filter both directions
2. Yes all my computer on a fix IP.

@incursari,

First, a tidy up.
Open CHX, and go to the IP lists, right click ->New -> New IP list. In the popup, name this "DNS servers", then enter your 3 DNS server IP`s (make sure you press "enter/return" after each entry, so that only 1 IP is on a line). OK this when done.
Repeat this for the "Spoofed IP" address ranges.

189096

You then need to create the DNS rule (you can edit one of the rules you already have in place)

189097

Repeat this for the "Spoofed IP" list.

When done, remove all un-needed DNS/spoofed IP rules.

Now, looking down your list of rules,

2 rules to allow Ident. If you require this rule, then remove one, if you do not require this rule, remove both.
In, deny TCP local ports 0-1023, 5000-65535, un-needed due to (SPI) the outbound filtering that will be in place,.. remove this rule.
inbound ARP, we will come back to this rule.
Allow In, UDP&TCP_no_SYN un-needed, remove.
in allow DHCP un-needed in your setup (fixed IP), remove.
ICMP we will come back to ICMP later, as we will need to see what is required
In Allow logging from router OK if this is wanted, but on a setup as yours, where the hardware/IP will be static, and with a force allow rule, you should place the source(router) MAC address in the rule.
Allow Netbios(on LAN) OK
Deny Landattack OK
Deny netbios from internetNot needed(due to SPI), remove.
Deny port 135 Not needed(due to SPI), remove.
Deny Trojan ports If you believe this is required, then OK
Outgoing ARP we will come back to this rule.
Out UDP&TCP_NO_SYN Remove this rule.
Out:boot Un-needed in your setup(this is DHCP, not needed due to fixed IP)
Out Deny netbios to internet Un-needed, remove
Out Deny other DNS un-needed, remove
Out email POP3 / Out email SMTP OK, but you could add the IP`s of these servers
Out FTP OK
ICMP rules As mentioned, we will go through these later
Out IRC OK
Out Web Browsers OK

@incursari,

When done, move all rules (apart from the ARP rules) onto your NIC IP address. (you can just select and drag the rules over)

I am just going to setup with your ruleset, to check on the inbound netbios rule (what affect they have on inbound filtering) as I dont normally have such rules in place.

Update:

OK, no problem with the netbios rules (I did not expect a problem, but wanted to confirm)

So, if you have now moved the rules, you should only have 2 rules on the NIC (the rest on the IP), which are the ARP. You only need 1 of these, Myself, I have one ARP rule, set as: Allow out ARP.(I have bound this to my other hardware using a MAC list)

Now, ICMP.
You only need to filter in one direction. I personally filter on outbound, as I personally require most ICMP on my LAN (most is due to testing), I simply place a rule to allow all outbound ICMP, but of course, you can filter as required. (you do not need to place a rule to block other ICMP types, as when an allow rule is in place, all others will be blocked)

You can also add a rule (onto IP address) to "Block inbound TCP SYN".

{QUOTE-> Now, looking down your list of rules,

2 rules to allow Ident. If you require this rule, then remove one, if you do not require this rule, remove both.
In, deny TCP local ports 0-1023, 5000-65535, un-needed due to (SPI) the outbound filtering that will be in place,.. remove this rule.
inbound ARP, we will come back to this rule.
Allow In, UDP&TCP_no_SYN un-needed, remove.
in allow DHCP un-needed in your setup (fixed IP), remove.
ICMP we will come back to ICMP later, as we will need to see what is required
In Allow logging from router OK if this is wanted, but on a setup as yours, where the hardware/IP will be static, and with a force allow rule, you should place the source(router) MAC address in the rule.
Allow Netbios(on LAN) OK
Deny Landattack OK
Deny netbios from internetNot needed(due to SPI), remove.
Deny port 135 Not needed(due to SPI), remove.
Deny Trojan ports If you believe this is required, then OK
Outgoing ARP we will come back to this rule.
Out UDP&TCP_NO_SYN Remove this rule.
Out:boot Un-needed in your setup(this is DHCP, not needed due to fixed IP)
Out Deny netbios to internet Un-needed, remove
Out Deny other DNS un-needed, remove
Out email POP3 / Out email SMTP OK, but you could add the IP`s of these servers
Out FTP OK
ICMP rules As mentioned, we will go through these later
Out IRC OK
Out Web Browsers OK <-QUOTE}
Done.

For "Out: *** Outgoing ARP".
I need to add FF-FF-FF-FF-FF-FF to my MAC list if not i cant access to internet. See log below.

{QUOTE-> @incursari,

When done, move all rules (apart from the ARP rules) onto your NIC IP address. (you can just select and drag the rules over)

I am just going to setup with your ruleset, to check on the inbound netbios rule (what affect they have on inbound filtering) as I dont normally have such rules in place.

Update:

OK, no problem with the netbios rules (I did not expect a problem, but wanted to confirm)

So, if you have now moved the rules, you should only have 2 rules on the NIC (the rest on the IP), which are the ARP. You only need 1 of these, Myself, I have one ARP rule, set as: Allow out ARP.(I have bound this to my other hardware using a MAC list)

Now, ICMP.
You only need to filter in one direction. I personally filter on outbound, as I personally require most ICMP on my LAN (most is due to testing), I simply place a rule to allow all outbound ICMP, but of course, you can filter as required. (you do not need to place a rule to block other ICMP types, as when an allow rule is in place, all others will be blocked)

You can also add a rule (onto IP address) to "Block inbound TCP SYN". <-QUOTE}
Done. Check the rest of the screen shot.

{QUOTE-> Allow In, UDP&TCP_no_SYN un-needed, remove. <-QUOTE}
If I removed this I can’t access the internet. Check the log.

You are having problems because you are still filtering in both directions, (which, as I have mentioned causes problems).

As I have mention, for example, the DNS rule, you only need to have a rule to allow the outbound, the UDP SPI will allow the returned packets.

You still have in place rules to allow inbound ICMP, these rules will block all other inbound ICMP / UDP /TCP that do not have a specific rule to allow, and is why packets (such as "ACK SYN") are blocked.

The ARP outbound to FF:FF:FF:FF:FF:FF is a needed broadcast (I automatically add this myself, and forgot to mention)

Packets to 192.168.1.255 are LAN broadcasts and should be allowed if you have set the LAN rules up correctly. As example, for the force allow inbound netbios from LAN, this would be "force allow inbound source 192.168.1.0 /255.255.255.0 dest your IP/255.255.255.0

Edit:
Just looking at your latest posts again. You should only have 2 inbound allow rules in place

Force allow for netbios
Force allow for router log

Stem, I already change the rule sets according to what you post. So far so good only the rule for the router log.

What is the full rule for the "Allow logging from router"?

As the router is a fixed IP, the rule should look like (to also allow the inbound broadcast):
Force allow inbound UDP~ source 192.168.1.1/255.255.255.255 dest your IP/255.255.255.0 local port 162


Edit,
Dont forget to add a rule to "Block inbound TCP "SYN".

Updated. Stem check the two rules that I highlight. I took clearer screen shot now.

{QUOTE-> What is the full rule for the "Allow logging from router"?
Edit,
Dont forget to add a rule to "Block inbound TCP "SYN". <-QUOTE}
Alrite already add it. Still monitoring now.

Hello Stem and Alphalutra1, thank you to both of you for your help. After cleanup my rule sets, now it working very smooth and work as intended.
Thank you again.:thumb:

@incursari,
Good to hear all is working correctly.

Also happy it works well. Sorry I haven't helped anymore but I have been away for a couple of days.

Cheers,

Alphalutra1

{QUOTE-> @woobook,

I have found that CHX does not intercept loopback(on my setups/hardware). Rules to intercept this (127.0.0.0/255.0.0.0) do not,in fact work. This is for V2.8 or V3.0 <-QUOTE}

I have deleted the rules of F1a, F1b and F4, and changed rule F ARP:"allow Incoming ARP" to "Allow Outgoing ARP". It is running good and I have not found any different with original rule setting.

I tested it in Shields UP! and PC Flank. It had passed every test. (I didn't take the leaktest.)

@woobook,

Have you enable all SPI (in the NIC properties?)
(When the SPI is enabled, replies to the outbound will be allowed.)

If SPI is enabled:-
It does look like you need to change/remove some rules.

First, Remove the first 2 "Deny all" rules. These are not needed.
Then remove rules: F3, F7 and F8b

Then add a rule to block inbound TCP SYN.

{QUOTE-> @woobook,

Have you enable all SPI (in the NIC properties?)
(When the SPI is enabled, replies to the outbound will be allowed.)

If SPI is enabled:-
It does look like you need to change/remove some rules.

First, Remove the first 2 "Deny all" rules. These are not needed.
Then remove rules: F3, F7 and F8b

Then add a rule to block inbound TCP SYN. <-QUOTE}

I have enable all SPI. I add two "Deny All" rules as follow picture. I don't know if I choose "any" in Eth.Type shall have more power than choose "IP" only. Maybe I only need set the rule for "IP" in Eth.Type because I use Dial-up.

Do you remember this post 111:
http://www.wilderssecurity.com/showthread.php?t=165576&page=5
<-QUOTE}"It may appear as an overlap, but the rule to allow the inbound will not restrict what outbound local ports are used, it will only restrict what local ports would be allowed a reply. With the outbound rule in place, You do not need to add a port block rule, as from the rule in place for the local ports allowed, all others will be blocked, (unless you have allow rules in place to allow other local ports).
So you can leave them as they are." <-QUOTE}

So I keep the two direction rule rules.
If I remove the first 2 "Deny all" rules and the rules: F3, F7 and F8b, how to add the rule of block Inbound TCP SYN. I try it as follow picture.

Thank you, Stem.

My F7 rule.

@woobook,

Your inbound rules are "force allow", and you should remove them.

{QUOTE-> @woobook,

Your inbound rules are "force allow", and you should remove them. <-QUOTE}
Yes, Stem. This is what I worry about. Allow(Deny All Except) allow give more safe feeling than "force allow".
But when I set above rule, I thought "Deny All + Force allow" is equal to Allow(Deny All Except), and "deny all" shall has more power because it can Deny more matters when I choose "any" in Eth. Tpye.

@woobook,

Having inbound "force allow" rules, will allow unsolicited inbound.

{QUOTE-> @woobook,

Having inbound "force allow" rules, will allow unsolicited inbound. <-QUOTE}
I worry it doesn't block unsolicited inbound when I choose "force allow". I had checked the log. For example, the rule "force allow" inbound:

Direction: Incoming
Protocol: TCP
Packets' Source: Any
Source Port: 80, 443
Packets' destination: Any
Destination port: 1024-4999

In the log I can still find some records :
Packets' Source: XXXX
Source Port: 80
Packets' destination: My IP
Destination port: XXXX( in 1024-4999)
Reason: Out of Connection

I am not sure if it means that it blocked unsolicited inbound.
I am using Panda Titanium 2007. Without Chx Panda shall block a lot of unsolicited inbound. After I use Chx, Chx blocks everything. So there isn't any blocking record in Panda logs. But today in my Panda log I found one connection attempt. Maybe it is due to "force allow" which allow unsolicited inbound.

{QUOTE-> @woobook,

Having inbound "force allow" rules, will allow unsolicited inbound. <-QUOTE}
I get it. After removing "Deny All" and changing "force allow" to "all(deny all except)", in the log I found that Chx begins blocking unsolicited connections.

@woobook,

You will find the same results if you remove the inbound "Allow(deny all except)" rules. Adding a block inbound TCP SYN rules give better logging (for scans/ inbound connection attempts), and does ensure no inbound connections are allowed.

Block inbound "TCP SYN" rule:-

189185

It is same result when I remove all "allow inbound" rules. The different is in the log. Under "allow inbound" rules, it logs "Does not match allow policy" when it blocks unsolicited inbound. After I remove all "allow inbound" rules, it logs as "Unsolicited UDP" or "Out of connection".
I had tested in Shields UP! and PC Flank, it blocks every thing.
It is a clear rule.

Thanks for your help.