CHX-I questions... again :)

I decided to reinstall CHX v3 and have a few questions about it. I'm using the wan_start (here is a copy: http://www.filefactory.com/file/9d7960/) filters I downloaded from the forums quite some time ago. I also enabled all SPI. with that I don't have any problems at all with browsing and even using Free Download Manager, even JAP and Tor. problem is even with uTorrent, without using uPnP, there is no problem connecting and downloading even if I haven't open up it's port in CHX-I. Are the rules from wan_start to permissive? any problem with my filter rules? any assistance is much appreciated... thanks in advance!

 

Hi glentium,
The rules are not what I would use myself. But they will block inbound connections.

With Utorrent, you will be downloading with the outbound (TCP) connections you make, plus, the rules will allow ALL inbound UDP (on any port) and Utorrent will download/upload via UDP

 

Thanks for that info Stem. Is that a bad thing? Does that mean that with that ruleset, it's basically just a little tighter than Windows Firewall?

If you don't mind, would you please help me in making my ruleset more restrictive?

 

glentium,

That rules are from the CHX author, and is to start using CHX, after that every user have to change for their own needs...

If you want that uTorrent works correctly, with that rules, you must have to create a incoming filter to allow traffic to specified port on uTorrent.

You can check the Network Status on uTorrent that indicates if everything is right with the connection.
http://www.utorrent.com/faq.php#What_do_the_Network_Status_lights_mean.3F

Regards

 

Thanks VC! first of, I do know how to open uTorrent port from your post here: https://www.wilderssecurity.com/showpost.php?p=790731&postcount=11

the thing is how can I first restrict connections then individually allow ports I need open?

 

Hello glentium,

I dont place rules as shown in the ruleset.
I would normally place rules to allow outbound. For inbound TCP, I place a rule to block inbound TCP SYN. To allow a port, I edit the rule, so it is: Block inbound SYN ~local port(to allow the inbound) NOT.

 

so the TCP&UDP_NO_SYN is the one allowing all connection?

 

No, that rule will block inbound TCP connections (SYN packets), but will allow all inbound UDP.

If you are connected directly to the internet, Run a shieldsup scan.

 

Glentium, utorrent will work since you are using it through a proxy. Don't use it through a proxy and it won't work. Also, don't use torrents in tor since it really screws over the network and makes it much slower, so it is a really inconsiderate thing to do. CHX-I rules are perfectly fine, you just don't understand why it is working. The TCP connection is occuring at the tor server, not at your computer, so CHX-I can't block it since there is nothing to block.

Cheers,

Alphalutra1

 

That rule is to allow only the traffic TCP/UDP that are not SYN, and is to use with the TCP and UDP Stateful Inspection enable.

 

Only TCP can be "SYN".

But yes, I stand corrected, the SPI will block unsolicited inbound UDP

 

@Alphalutra: Thanks. I am not using Tor for actual peer-to-peer connections. I setup Tor in uTorrent as specified in Tor wiki itself (here: http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#head-0d047b05e9b93c23cec9198550816a114012bde0), so I don't think it would be a problem as to Tor network slowdowns. Also, I tried uTorrent on a fresh install of WXP, without Tor, and it still worked right away as mention in the first post. But you said it right, I don't understand it at first why it's working right away. But it seems to me now that the ruleset is not that bad since it blocking TCP SYN and other unsolicited connections. Although, I really want to learn how to make it more restrictive since it's I think it's quite permissive at the moment...

------
@Stem: "For inbound TCP, I place a rule to block inbound TCP SYN. To allow a port, I edit the rule, so it is: Block inbound SYN ~local port(to allow the inbound) NOT."
------
I'll expiriment more on this to see.. thanks!

-------
@Stem: "If you are connected directly to the internet, Run a shieldsup scan."
-------
I'm actually connecting through a proxy in our network which serves as the firewall (linux) so most online scans I ran detect that firewalls port.. Is there an offline port scanner so I can check my stealth settings more accurately? I use a similar CHX-I setup in my other desktop connected to our network, no internet, but I had to add rules to allow DNS and Broadcast to make it work..

*****
Another question, why do I see blocked connections in CHX-I log where neither incoming or outgoing IP is my computer?

I want to thank you all guys for assisting me here. I'm learning so much from all of you.

 

Hello glentium,
Scans can be made over the LAN using nmap. I ran a scan with CHX installed using the above ruleset, and the result where closed and open ports. The open ports where the windows services I had re-enabled for the scan.

As for the blocked connections, this is probably broadcasts or packets directed at other nodes. Have you an example?

I am going to re-install CHX, and have a long look today, (as it as been a while, so I need to refresh my memory on this packet filter).

 

When I used CHX-I, with that samples, my system was completly stealth...

 

VaMPiRiC_CRoW,
I will re-install and make an online scan and post the result.

update,
Have set up, using above ruleset, with SPI enabled (on DMZ pc).

Shieldsup: Common ports scan

 

Stem,

You must doing something wrong...

 

VaMPiRiC_CRoW,

Such as?

I have enabled all SPI, and simply loaded the rule file. Results of scan the same on XP and W2K.

Edit
On checking, I am seeing that my ISP is filtering ports 139 and 445.
Port 1720 is comming through, so that is the only port showing as "Stealth" by CHX on this online scan.

 

I think something is wrong with chx-i I am going to install it and report back to my findings...

UPDATE
This one version isn't installing and refuses to saying it is being interrupted (too bad my only other security app SSM is disabled , I will try installing an older version of v3), nevermind, that doesn't work. What the heck is going on with my computer that won't let me install it


Cheers,

Alphalutra1

 

Hello Alphalutra1,

This to me(or anyone) is not a problem using CHX. Simply adding a rule to block inbound TCP SYN to that ruleset gives full "Stealth" and aliviates this. I have included such a rule, (but wanted to see (after running for a good time) if this may cause problems) but all OK.

 

Okay Stem, it was a misunderstanding. I thought you already had just the default ruleset, my bad.

As to glentium, here is what the documentation you pointed me out to says about using bittorent on tor

. So please don't do it since it really makes tor slow for other people. Also, if you have something illegal to do, do it in a safer means then bittorrenting (newsgroups), or don't do it at all.

Cheers,

Alphalutra1

 

The default ruleset (as posted) does give the above scan results(on this setup),.. I know too little of CHX to comment more as yet.

 

With the not syn flag option checked?

 

Alphalutra1,

Yes,

by the way, be quick, online help files http://www.idrci.net/html/chx3_content.htm soon to go, have a good read

 

Hi Stem

If you using a Router, It’s a good chance that it’s the reason for the stealthed ports (139, 445).

I quickly glanced at the wan_start ruleset and see that there is oddly a rule named ‘***Incoming ARP’ in there, I find it difficult to believe this is the original and untouched ruleset file that had been received from the official website… Anyways whoever made this here rule clearly doesn’t understand the workings of CHX-I packet-filter…. Delete this rule and re-run the scans (if you made changes, start fresh).

 

No, you need the rule or else your ethernet connection won't work (ARP filtering was added to CHX-I v 3) Allowing all ARP gives you the same protection as in v2, except that some malicious types are automatically detected(in the interface rules portion along with enabling/disabling SPI, etc)

Cheers,

Alphalutra1