|
|
#1
April 10th, 2007, 06:17 AM
|
||||
|
||||
CHX-I v.3 rules...Stem.
Hello Stem, or other packet filters expert here. I started to play around and use CHX-I v.3 for 3 months. I created some rules and using some from the CHX threads here. I only enable my LAN file sharing rules when needed.
As I know Stem and some of the packet filters expert here are knowledgeable and help a lot of users here with firewall configuration, maybe you can help me if my rules is overlap, or need extra tightening. |
|
#4
April 10th, 2007, 07:28 AM
|
|||
|
|||
Re: CHX-I v.3 rules...Stem.
You could upload to Rapidshare, then either post the link on thread if you would like feedback from the forum, or you could PM the link to me.
|
|
#5
April 10th, 2007, 07:32 AM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
|
|
#6
April 10th, 2007, 07:57 AM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Hello incursari,
The rules look OK, you have bound the DNS servers and made restrictions on the local ports in use. The only way to tighten would be to restrict the remote ports in use, such as for HTTP/S etc. But this would depend on the software you use. |
|
#7
April 10th, 2007, 08:20 AM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Thanks for the help.
Quote:
And 1 more things, could you provide me FTP rules (Active/Passive) samples as i am little bit confuse about this. Does FTP rules need conditional? |
|
#8
April 10th, 2007, 08:43 AM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
It does depend on how tight you want to be with the rules, and does depend on what software connects out to what ports etc.
You can add rules for collecting/sending mail, and bind these to your mail servers.(the remote ports used would depend on how the mail is sent/collected, POP3 / IMAP etc) For basic HTTP/s (remote ports 80/443), these would need to be open on IP`s used, unless you are very restrictive in your surfing. Do remember, you can add blacklists (bad IP ranges) into CHX via the IP lists. For FTP, you should try and keep to passive (no inbound connections). There is an option in the NIC properties (where you set SPI) for passive/active FTP, so this does mean for example, if you enable allow passive FTP, you only need to allow outbound to remote port 21 (all other ports needed would be allowed with that option enabled, but the ports only allowed while the remote port 21 was connect to) The above rules would replace the open "udp_tcp no syn" rule you currently have in place, and you may need more rules than the above examples. So it is really down to yourself on how tight a ruleset you want. |
|
#10
April 10th, 2007, 04:28 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
 Cheers, Alphalutra1 |
|
#11
April 10th, 2007, 06:45 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
|
|
#12
April 10th, 2007, 07:57 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Hello incursari,
Quote:
Of course if you are concerned about certain info, such as MAC address~ server/personal IP`s etc, then remove these from the screen_capture image. |
|
#13
April 11th, 2007, 07:28 AM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
OK here I come again. Stem, Alphalutra1 and others please to comments on my inbound/outbound rules if I miss anything there. I can’t post all the rules screen shots cause there are quite numbers of them, I post the link for the rule sets.
CHX rule sets Last edited by Stem : April 11th, 2007 at 05:27 PM. Reason: trimmed image |
|
#14
April 11th, 2007, 05:20 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Hello incursari,
I have taken a quick look at your new ruleset. I see you are now filtering in both directions. I will just make quick comment for now (to allow me time to check over your rules fully, and to give time for other feedback) You have in place a number of outbound filter rules, to restrict the local/remote ports used, but then you have an outbound rule to allow "udp_tcp out `not syn`" for any IP/port. this, although it will not allow outbound connections (syn packets) it will allow all outbound UDP. You do have a number of rules to block "spoofed" IP`s, I would suggest that you create an IP list for these (I can post info on how to do this later, if required), so then you would only require 1 rule (just for a clean up/easier to manage more than anything) |
|
#15
April 11th, 2007, 05:57 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Sorry I can't do any commenting, but I don't have CHX-I installed (or windows for the matter) on this pc, so I am unable to view the rules in the .sfd format. If you could take a screenshot of your rules, then I could contribute to helping with your ruleset.
Cheers, Alphalutra1 |
|
#16
April 11th, 2007, 06:01 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Hi Alphalutra1,
I was just thinking of what you post,... I will post pic of ruleset(as these are now for open viewing), just give me a few minutes............ I sorted rules into allow/deny click image to enlarge Last edited by Stem : April 11th, 2007 at 06:20 PM. Reason: added image |
|
#17
April 11th, 2007, 08:19 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
I had a cursory glance (I am writing a paper
 ), but I noticed that you misnamed two of your ICMP OUT rules, switching the 0 with the 8 and vice versa.As Stem said, grouping the IPs together in a list would definitely simplify it a lot. For example, you can combine the DNS servers together in one list, the Spoofed addresses in one list, etc. Also, for some of the ICMP's that you created rules to allow in, many of the rules are already covered due to the pseudo-SPI for the ICMP in your LAN card settings, so you can disable those rules and see what gets blocked in your logs to see if any aren't covered by the pseudo-SPI (I think all of them are covered, but if you ever want to all type 8 (normal echo), then you might have to force allow it, I am not sure). In addition, I don't think that extra allow all rule is really necessary, because I think that all of your other outbound rules will cover everything. I had an outbound setup going for a little while with CHX-I, you can see it in this post, but I do not know if it covers all the bases since I got rid of all the outbound rules after I found myself turning all of them off for gaming since it was too difficult to create rules for every single thing that the game tried to use (tens to hundreds of random ports). Cheers, Alphalutra1 |
|
#18
April 12th, 2007, 08:18 AM
|
|||||
|
|||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
Quote:
Quote:
Quote:
Quote:
|
|
#19
April 12th, 2007, 04:43 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
Quote:
Cheers, Alphalutra1 |
|
#20
April 12th, 2007, 06:37 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Just to confirm:
For example, with ICMP. A default rule can be put in place, this could be "allow all ICMP inbound (or outbound)" you do not need both directions filtered, for the rule to work correctly, you need to ensure that the ICMP stateful inspection is enabled. You can make a simple check on this yourself. Remove all the allow inbound ICMP rules you have in place, ensure you have a rule that will allow outbound pings, then ping your router. The replies will be allowed to the outbound. |
|
#21
April 12th, 2007, 07:11 PM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
OK I removed all filters for inbound ICMP. I can’t ping my router. After I just create only one filter for ICMP “In: **ICMP (Stateful ON)” then I can ping my router or internet. Is this the right directions? I will post the logs later on if anything get block.
So this my new rule sets. |
|
#22
April 12th, 2007, 08:45 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Quote:
It is now time for use to go through all the rules, and remove un-needed, and set any others rules that may be required for your setup. First, we need to decide on the direction of filtering. It is easier/ with less problems to filter in one direction. Myself, I filter on outbound, with just some inbound blocking rules. (with default rules (such as wan_start)), these filter inbound with allow all out) I will also need some more info on your current setup. From your rules I see you are behind a router. As you have a deny "Landattack" rule in place, are you on a fixed IP? (a need, or not for a DHCP rule) Rules for netBios, which you mentioned you disable/enable when needed, can be changed and bound to your LAN(and/or specific hardware) So basically, for now, I just need to know 1. Which direction you want to filter 2. Are you on a fixed IP We can then work through the changes step by step. |
|
#23
April 12th, 2007, 11:03 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
Quote:
In Alphalutra's link I find the first rule about Loopback. I have not found any different when I add it or delet it. Is it necessary? This is my current rule: |
|
#24
April 12th, 2007, 11:30 PM
|
|||
|
|||
|
Re: CHX-I v.3 rules...Stem.
@woobook,
I have found that CHX does not intercept loopback(on my setups/hardware). Rules to intercept this (127.0.0.0/255.0.0.0) do not,in fact work. This is for V2.8 or V3.0 |
|
#25
April 13th, 2007, 08:57 AM
|
||||
|
||||
|
Re: CHX-I v.3 rules...Stem.
Quote:
Stem, yes i am behind the router. 1. I want to filter both directions 2. Yes all my computer on a fix IP. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
