CHX-I questions... again :)

You can believe.

 

Just to clear this, I installed CHX with the WAN_start.sfd filters and test it again.

The results was what I already know, it completly stealth my connection like the last time I used it...

I'm using CHX 3.0 (2006-09-01) and WAN_start.sfd (2005-11-18 )
I think that this was the latest released version and I remembered that have an issue to import the filters, as you can see on the picture below about the "***Deny Ingress Filters".

http://img181.imageshack.us/img181/9913/chxfiltersim8.png

http://img185.imageshack.us/img185/3089/chxwirelesspropertiesyz2.png

 

@Phantom, yeah, I noticed that Incoming ARP rule, and quite frankly, I don't what it's for. I'll try disabling that and check..

@Stem, thanks! I'll try nmap now..

@Alphalutra1, first of all, I am not doing anything illegal. It's more of privacy/anonymity concerns. I've been using uTorrent (BitComet before that) for over a year without any anonymization, to download several Linux distros Then I read about JAP and Tor, so I tried them both, all for the sake of trying it out. When I first tried Tor, I read in the documentation about torrifying TRACKER traffic and not TORRENT (DATA) traffic, so I tried it. Since it seems to be doing fine, I opted: why not use it as a default setting? As many of us in Wilders do, it all started when trying out different 'security/privacy' apps and then sticking to the ones that work...
Torrifying tracker traffic does not tax Tor servers. It's the torrent or data transfers between peers that puts a terrible strain among Tor servers. Torrifying data would make peer-to-peer peer-to-(tor-to-tor-to-tor)-to-peer. I would personally not like that since it would then take eons before my downloads get completed. At least, that's how I understand the documentation. But if I really misunderstood it and that I should not torrify TRACKER traffic, then I would not do it anymore. Best regards!

What really concerned me that opted me to start this thread is "why it worked right away with the provided wan_start rules for CHX-I?" I wish I could have a more restrictive ruleset 'cause it would defeat the very purpose of me using CHX-I in the first place..

Now, my CHX-I adventures resume.......... (backgroud music: Indiana Jones)

 

I see what Stems doing, Stem you importing the ruleset directly to the IP section in ‘Local Area Connections’ where ARP controls aren’t available.

 

@Phantom: the ruleset might look different because I added that ***Deny Ingress Filters as suggested by Vampiric_Crow from another thread. Actually, I have it disabled and I forgot to update my screenshot.

@VC: So the wan_start ruleset is okay to use? that I shouldn't be concerned about this uTorrent issue I mention in the first post? btw, I used uTorrent inside SandboxIE anyway

 

If you import directly to the IP section listed in ‘Local Area Connections (general naming)’ area, the ruleset imports won’t be proper, import directly to the network interface node, then make changes (except leave the ARP and DHCP rules)… And re-run online scans

 

@Stem, regarding nmap, is this the right command to scan the ports: nmap -v -sV **.**.**.** (my ip)

 

Hi glentium

There is nothing wrong with that ruleset, and you would be-able to BitTorrent. It’s just the remotely generated BitTorrent packets will be denied, ‘Force Allow’ should be done IF you would like quick and speedy downloads.

 

You should read what I said on my last post about that filter

I can work with that ruleset without any problems, so the answer is yes.
Like I said on my first post, even if you don't create an incoming filter for uTorrent, this program will continue to work, but in a restricted way.
You can read that here:
http://www.utorrent.com/faq.php#What_do_the_Network_Status_lights_mean.3F
and
http://www.utorrent.com/faq.php#Why_are_my_torrents_going_so_slow.3F

Note: The development of this firewall is stoped, so I don't advice you to use it, even if it have a great protection for incoming connections.

 

To probe open ports to determine the service & version info, yes...

 

Even though the development of this packet filter has stopped, this is still an excellent packet-filter for Win2K/XP systems. Those who are being drawn now after the fact should be happy, before the development had stopped there had been a fair amount of interest in CHX-I, so support isn’t at a halt.

IPv6 I don’t think is supported by this packet-filter, but this shouldn't be a problem for awhile...

 

@VC: I was only actually looking to beef up Windows Firewall, so CHX-I came up. First of, I'm in a non-commercial organization. In my computer connected to the Internet, I am behind a linux proxy/firewall, CHX-I would just be an additional layer for incoming. Since it's very light on resources, I think it wouldn't be an overkill. Plus it would protect me from other computers on my network. They may not be as security conscious as I am. The other scenario I use CHX-I is on both my notebook and desktop connected to our network, no Internet. But some in our network are careless about flash drives so malicious wares might still get into the internal network. We actually had a case when a worm got in. Since we are then in a process of upgrading to XP SP2, those that were still in SP1 got infected. So, I use CHX-I in this scenario also just to beef up WF. Now, my security tools for whatever has got in both scenarios would be another topic..

 

Hello Phant0m,

The PC was DMZ. On my checks packets from the online scan where not received on those ports.

Import of filter file was onto NIC interface.

I will setup again later with diferent NIC. I would normally not use such a ruleset with CHX as posted here, but will re-check.

update:
I have found another copy of CHX3, I dont know if this is a different build or my other copy is corrupt/bad (file size difference). But now working correctly with the ruleset shown. (all ports filtered)

 

Hello glentium,

You can just run a standard scan:- nmap (IP to scan)

 

Hi Stem, thanks for all the assistance.

Re: Using nmap and CHX-I with the wan_start filters mentioned earlier

Result reference from nmap website: http://insecure.org/nmap/man/man-port-scanning-basics.html

with standard scan - all ports are filtered
with -sS (TCP SYN) - all ports are filtered
with -sT (TCP Connect) - all ports are filtered EXCEPT
PORT STATE SERVICE
21/tcp open ftp
with -sU (UDP) - all ports are open|filtered
with -sN (TCP Null) - all ports are open|filtered
with -sF (TCP FIN) - all ports are open|filtered
with -sX (TCP Xmas) - all ports are open|filtered
with -sA (TCP ACK scan) - all ports are filtered
with -sW (TCP Window scan) - all ports are filtered
with -sM (TCP Maimon scan) - all ports are open|filtered
with -sI (Zombie scan) - all ports are closed|filtered
with -f (fragment packets) - all ports are filtered (of course)

******
except for 21/tcp which shows as open in the TCP connect scan, everything seems to be fine..
with -sV (service detection) however, all ports are filtered
******
so can anyone help me make a rule to close port 21/tcp or I shouldn't bother? also, since we use "net send" withing our network, is there a better/safer way than opening port 139 for "net send" to work?

 

Phant0m and glentium,

I was one of the few persons that tried to share all the power of CHX on the last 1,5 year, but for me a program must continuous development and support, but than you will have problems like these because information does not exists and very few know about it... I remembered that this version still has a few annoying bugs like create some filters and other lists, so still needs a lot of works to became real effective.

Now you just have to decide if you still want to use with all these cons...

 

I would like to know why that port are open...

If you want, I can sent you useful rules for Windows File Sharing and P2P.

I can also share my version of CHX...

 

Hi Stem

In this case it’ll be your ISP/ISP xDSL/Cable+ modem filtering, normally ports 135, 139, 445.

If the installation file was corrupted/bad I’m sure you would know when trying to install, hashing though could easily allow you to know if the new download is the same thing or not.

The most recent of v3.0 contains MD5 hash - 17dcfc9c45491c4b358de0165a8d1c05.

 

Hi VaMPiRiC_CRoW

Yes I know, I have been observing.

 

Correct.

 

heh

 

I've got the same MD5 hash.

@VC: I would love that. Please share me those filter rules. jetico v1, kerio 2.1.5, sygate and a few others have their loyal following despite their development also halted or have been replaced by newer versions. so CHX-I might still be useful for the next 1 or 2 years. besides, it allows me to learn a lot about TCP/IP security.

 

Hello Phant0m,

The 2 versions I have do not match the checksum. So I have downloaded another copy, this does match the checksum. How many builds of CHX3 where there?

 

Would anyone like to compare CHX-I with Ghostwall in terms of features, performance, etc?
Thanks in advance.

 

Hello glentium,

I am not seeing this. The scans show this port as filtered on my setup (after installing the latest version).
Have you anything listening on that port?