CHX-I questions... again :)

The spoofing should be taken care off by the SPI. Adding the UDP&TCP_NO_SYN would not block connections within the LAN, due to "Force allow" rule for LAN segment.

The Broadcast for LAN depends on the router IP, as example, on a LAN router IP 192.168.1.1, the broadcast is 192.168.1.255 (The last number is always 255). You do also get internet broadcast made within the LAN to IP 255.255.255.255.

DNS servers, this will depend on your setup, if you are taking your IP via DHCP from the router, then the router will pass the DNS server IP`s to your setup. Go to the windows start / run / type cmd / in the command window, type ipconfig /all this will show you (with other info) your DNS server IP`s. You could add these to a list within CHX, and create a rule to bind the IP`s (this I normally do myself), but it can cause problems if your server IP`s change.

 

I already have rules for broadcast and DNS. I was just thinking of restricting it a bit by adding a condition by making sure my requested the communication first.. will be experimenting again by restricting outgoing to find out what communications are initiated to the broadcast and DNS.

 

UPDATE:
After playing with the LinkSys filter sets, I find it a bit complex. Some ports showed as closed. The wan_start filter set seems more compatible and convenient under most situations. It's simple and functional. You get completely stealthed. If used on a LAN workstation though, at least in my case, rules must be added for Broadcast and DNS. For Windows File Sharing, at least port 139/tcp (it worked for me in our LAN environment without opening up 137,138 and 445) must be opened, limited to local ip address for security. For extra tightening, outbound can also be restricted. Though I'm still not sure if it really makes sense doing it, I basically made outbound rules for common tcp/udp port 1024-5000, broadcast, ICMP and ARP. That's about it. Since it doesn't include Application control, I use PCTools Firewall Plus with no network filters, though one can always add IPv6 related network filters in it since CHX-I would not handle it. Add to that the indispensable SSM Free, you get an excellent security combo. And with on-demand and standalone spyware/antivirus scanners, you're almost covered!

 

glentium,

did you tried Comodo Firewall Pro?

 

yes, that's what I install to friends', less support work for me...

 

UPDATE:
After experimenting around with CHX-I the past few weeks, I can say that I'm very satisfied with it. It simple yet very functional. Many thanks goes to great support I get from Wilders. Thanks to Stem, Vampiric_Crow and Alphalutra1!

Occasionally, though, I still get this port 21/tcp showing as open with nmap. I found out that some others are also having this problems and it seems to be nmap "false positive" problem with Win32 host... (source: http://seclists.org/nmap-dev/2006/q3/0128.html)

 

yo ..first off..thx for all tips,filters etc..

anyway my setup(host,2nics,ics to xbox nic)

* VIA RHINE NIC -- HOST/Internet[/b]

* Rules: Wan_Start imported on MAC adress

* Enabled All SPI Options

a scan on https://www.grc.com/x/ne.dll?rh1dkyd2 is fully stealth

Code:

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests........But your system wisely remained silent in every way. Very nice.

http://pix.nofrag.com/b0/a5/9aa054cb504d836038ec7326ac24.jpg

http://pix.nofrag.com/67/5e/f894685b8596e24341d9a5377fa1.jpg



* REALTEK NIC -- ICS/192.168.2.1 -- Shared to XBOX/Static IP - 192.168.2.120

* Rules: TW_SMC_Filters.sfd imported on MAC adress
"Allows" 192.168.2.0 range

* All SPI options Enabled

http://pix.nofrag.com/dc/85/310c9ad4ef780226db2b72e6e3cc.jpg

Xbox settings:
192.168.2.120 Static IP
255.255.255.0 MASK
192.168.2.1 DEF GATEWAY
192.168.2.1 DNS

Whitout "Allow ARP" rule on 192.168.2.1 no connection can be made? (ping,ftp etc..)

added ARP rule and some rules for streaming "Shoutbox", "The Weather Channel" for xbox

then it works alright

ps: disabled "internet filtering" for LnS


anyway confirm this is good setup? btw anyone knows more about "payload" filters, any good tutorials?

 

I wish I could help you but I don't use ICS...
but you can use nmap to check you settings...

 

Neither I...

This is the problem of CHX, the support...

 

i used "nmap" on 192.168.2.120 and like urs port21 seems open? all the rest closed
sometimes it shows "filtered"..not always though


can u pls post some usefull nmap commands to scan both my NIC's?
thx!!

 

Hi fred22,

I dont have any spare time at the moment, but will set up ICS when I can.

I dont know of any tutorials, I only know the basics (never really looked into this that much). I did make a post concerning payload size of DNS packets here

glentium posted some on this thread or go to nmap website

 

thx Stem for reply's..pls do look into ISC if u have the time
the payload filter is stuff i cant handle whitout a good guide hehe..

CONN (20.3750s) TCP localhost > 192.168.2.120:351 => Unknown error
CONN (20.4060s) TCP localhost > 192.168.2.120:437 => Unknown error
CONN (20.4060s) TCP localhost > 192.168.2.120:213 => Unknown error
CONN (20.4060s) TCP localhost > 192.168.2.120:306 => Unknown error
CONN (21.3750s) TCP localhost > 192.168.2.120:204 => Unknown error
CONN (21.3750s) TCP localhost > 192.168.2.120:402 => Unknown error
CONN (21.3750s) TCP localhost > 192.168.2.120:325 => Unknown error
CONN (22.3750s) TCP localhost > 192.168.2.120:415 => Unknown error
CONN (22.3750s) TCP localhost > 192.168.2.120:261 => Unknown error
CONN (22.3750s) TCP localhost > 192.168.2.120:372 => Unknown error
CONN (22.4220s) TCP localhost > 192.168.2.120:204 => Unknown error
CONN (23.4530s) TCP localhost > 192.168.2.120:372 => Unknown error
CONN (24.3910s) TCP localhost > 192.168.2.120:261 => Unknown error
...........
CONN (87.2660s) TCP localhost > 192.168.2.120:264 => Unknown error
CONN (87.2660s) TCP localhost > 192.168.2.120:312 => Unknown error
Completed Connect() Scan at 23:32, 88.19s elapsed (309 total ports)
Host 192.168.2.120 appears to be up ... good.
All 309 scanned ports on 192.168.2.120 are closed

Nmap finished: 1 IP address (1 host up) scanned in 88.266 seconds

C:\nmap-4.20>nmap 82.17x.xxxx.xxx -p 137-139 -sT -P0 --packet_trace -n -vv

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-14 23:32 W. Europe Standar
d Time
Initiating Connect() Scan at 23:32
Scanning 82.17x.xxxx.xxx [3 ports]
CONN (0.0780s) TCP localhost > 82.17x.xxxx.xxx:138 => Unknown error
Strange error from connect (10022):No such file or directory
CONN (0.0930s) TCP localhost > 82.17x.xxxx.xxx:139 => Unknown error
CONN (0.0930s) TCP localhost > 82.17x.xxxx.xxx:137 => Unknown error
Completed Connect() Scan at 23:32, 0.01s elapsed (3 total ports)
Host 82.17x.xxxx.xxx appears to be up ... good.
Interesting ports on 82.17x.xxxx.xxx:
PORT STATE SERVICE
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn

Nmap finished: 1 IP address (1 host up) scanned in 0.093 seconds

C:\nmap-4.20>nmap 192.168.2.1 -p 20-22 -sT -P0 --packet_trace -n -vv

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-14 23:32 W. Europe Standar
d Time
Initiating Connect() Scan at 23:32
Scanning 192.168.2.1 [3 ports]
CONN (0.2030s) TCP localhost > 192.168.2.1:22 => Unknown error
Strange error from connect (10022):No such file or directory
CONN (0.2030s) TCP localhost > 192.168.2.1:21 => Unknown error
CONN (0.2030s) TCP localhost > 192.168.2.1:20 => Unknown error
Completed Connect() Scan at 23:32, 0.00s elapsed (3 total ports)
Host 192.168.2.1 appears to be up ... good.
Interesting ports on 192.168.2.1:
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.219 seconds


Scanning 192.168.2.120 [3 ports]
CONN (0.1090s) TCP localhost > 192.168.2.120:22 => Unknown error
Strange error from connect (10022):No such file or directory
CONN (0.1090s) TCP localhost > 192.168.2.120:21 => Unknown error
CONN (0.1090s) TCP localhost > 192.168.2.120:20 => Unknown error
Completed Connect() Scan at 23:43, 0.01s elapsed (3 total ports)
Host 192.168.2.120 appears to be up ... good.
Interesting ports on 192.168.2.120:
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh


C:\nmap-4.20>nmap 192.168.2.120 -p 137-139 -f

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-14 23:45 W.
d Time
Initiating ARP Ping Scan at 23:45
Scanning 192.168.2.120 [1 port]
SENT (0.3910s) ARP who-has 192.168.2.120 tell 192.168.2.1
RCVD (0.3910s) ARP reply 192.168.2.120 is-at 00:0D:3A:3B:C5:B6
Completed ARP Ping Scan at 23:45, 0.30s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:45
Scanning 192.168.2.120 [3 ports]
SENT (0.3910s) TCP 192.168.2.1:63737 > 192.168.2.120:138 ?? ttl=57
=28 frag offset=0+ seq=610213030 (incomplete)
SENT (0.3910s) TCP 192.168.2.1:?? > 192.168.2.120:?? S ttl=57 id=2
rag offset=8+ option incomplete
..........................
RCVD (0.7820s) TCP 192.168.2.120:1128 > 192.168.2.1:139 A ttl=64 i
40 seq=455837092 win=61507 ack=3510162558
RCVD (0.7820s) TCP 192.168.2.120:1128 > 192.168.2.1:139 PA ttl=64
=99 seq=455837092 win=64512 ack=3510162558
RCVD (0.7820s) TCP 192.168.2.120:1128 > 192.168.2.1:139 A ttl=64 i
40 seq=455837151 win=64440 ack=3510162630
SENT (1.5160s) TCP 192.168.2.1:63738 > 192.168.2.120:137 ?? ttl=45
n=28 frag offset=0+ seq=610147495 (incomplete)
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? S ttl=45 id=1
frag offset=8+ option incomplete
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? ?? ttl=45 id=
frag offset=16 (incomplete)
SENT (1.5160s) TCP 192.168.2.1:63738 > 192.168.2.120:139 ?? ttl=49
=28 frag offset=0+ seq=610147495 (incomplete)
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? S ttl=49 id=6
rag offset=8+ option incomplete
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? ?? ttl=49 id=
frag offset=16 (incomplete)
SENT (1.5160s) TCP 192.168.2.1:63738 > 192.168.2.120:138 ?? ttl=48
n=28 frag offset=0+ seq=610147495 (incomplete)
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? S ttl=48 id=2
frag offset=8+ option incomplete
SENT (1.5160s) TCP 192.168.2.1:?? > 192.168.2.120:?? ?? ttl=48 id=
frag offset=16 (incomplete)
Completed SYN Stealth Scan at 23:45, 1.25s elapsed (3 total ports)
Host 192.168.2.120 appears to be up ... good.
Interesting ports on 192.168.2.120:
PORT STATE SERVICE
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
MAC Address: 00:0D:3A:xxxxxxx

!!No LOGS(CHX-I) are made??!+it doesn't show up filtered, am i using the commands wrong?..bad chx-i setup?
grc = stealth though

 

Try downloading PCLinuxOS, it's a live CD linux distro. It comes with nmap. run nmap from it's console. I believe you get more accurate results with linux version of nmap that with win32 one. My TCP port 21 show as open with win32 nmap but it shows as filtered with linux...

 

k,..leeching pclinuxos atm...just need some confirmation

thx for reply!

 

fred22,

Are you trying to scan the ICS(client) from host? nmap does not like scanning localhost, and will error.

 

yes i did..not good?..i booted PCLinuxOS and runned nmap with some commands(from HOST), most stuff is closed not filtered though?!

i re-enabled LnS Internet filtering..just in case hehe

stem pls look into ICS..get some coffee and set it up

 

I have now set up ICS

I have no time for coffee yet.

What setup do you prefer on this. As a simple pass through can be made for the ICS (global rule allowing all in from client) or do you want to filter the ICS client on NIC?

 

Hi Stem ,

thx for wasting your time on me..hehe

i would prefer filtering the ICS client on NIC, anyhow if the "generic rule" is enough for safety im going for that

pls show,share the rule(s) u made

i have the TW_SMC_Filters running on client NIC - 192.168.2.1

ps: i'm converting some LnS phantom rules but im stuck already on some rules:
UDP Block fragments: the option Frag Offset = different 0 ? i choose "new filter" protocol UDP but cant see any frag offset option?
rules like ?Block MBONE broadcasts. are pretty easy for noob like me..lol

http://pix.nofrag.com/53/cc/816933c354c11a2a3f432f680cbe.jpg


Stem, once again ur help is appriciated

 

Hi fred22,
I have replied to your PM, but we will now continue on thread, as any other users/members who want to make such a setup can then follow.

Block fragments is an option in the SPI popup on NIC properties. For actual offset checking, I think this may need to done in the payload, but would need to check. (I still need to have my coffee)

 

alright..no problem,..thx so far

ps: i copied some rules,example: Block LAND Attack

rule lns:
http://pix.nofrag.com/e5/69/c1d699b51199718e13d2ed768f44.jpg

rule chx-i:
http://pix.nofrag.com/ea/ea/ca911233e7d9bfc8c5f461d4767d.jpg

a question regarding TCP flags, is it OK like this or should i untick the "not" for TCP flags?


ps: its to late for coffee anyways...

 

"Land attack" is a connection from/to you own IP. You can leave this as any flag.

Maybe Vodka?

 

vodka isnt my thing, i leave it up to u

btw here's my setup atm:

Packet Filters(Global)

* added "new filter":
ICS (client->host)
Force Allow
0-lowest
Interface: ICS Host NIC MAC (192.168.2.1)
Eth Type: IP
Source MAC: ICS Client (192.168.2.120 - Xbox)
Dest MAC: ICS Host (192.168.2.1)

http://pix.nofrag.com/5f/e1/544bc162e78fa62551e39ccc280e.jpg



ICS Host192.168.2.1

* TW-SMC Filters (Force Allowed 192.168.2.0/16 range)

http://pix.nofrag.com/55/88/7516e74d5735699122fe53e625ea.jpg


* Added "new filter" for XMBC Internet access
Packet Source: 192.168.2.120
Source port: 1024-5000

Dest Source: Any
Dest Ports: 80,1024-65535

http://pix.nofrag.com/8f/d3/2f81aec04daa10d17901af4b4392.jpg


ps: by checking the (blocked) logs, the rule required TCP FLags: Ack,Psh,Syn,

tested Weather Channel but it was again blocked by the "Deny Filter"
allowing "An" Flag" it worked

i changed the "priority" to "4 - highest" on the rule and checked only: ACK,Psh,Syn but that isn't working either

Internet NIC

* Wan-Start Filters ( Stealth GRC,PCFlanks all Scans)

http://pix.nofrag.com/c1/a1/bd7f44b6f253cfd58526eccf3efc.jpg


looks good right?, see im not 100% sure hehe...
for example:
with LnS internet filters enabled, if the XBOX is running,playing a movie from the PC HD it often shows "blocked" netbios packets:
outbound (pc-->>internet)
192.168.2.1 to any random IP
port 137

i created such a rule like that on CHX-I(only problem here is the rule requires in/outbound),with chx-i one can only choose either "incoming" or "outgoing", again im kinda stuck there

disabled lns filtering but nothing shows up in the chx-i logs...
after enabling lns filtering while chx-i is running, the Blocked NETBIOS packets showing up again(lns)

 

Hi fred22,
The global filter I showed you in the PM, which you have added, is for a pass through rule, as I mentioned this will allow all comms for the client.

I do not have an xbox to set up, so I can only show how I have set up for basic ICS for a PC. But this should show one direction to take.

You will note in my settings, that 192.168.0.1 is the NIC card on the host that is connected to the client 192.168.0.2

So, first rule is to allow ARP. (you can bind this to the other NICs in your setup).

I then place just 2 rules for my setup.
First, to force allow inbound UDP for DNS. This is bound to the MAC addresses and IP`s of the host/client
(You will note that the host needs to be set as a DNS server for the Client.)



The other rule I have set is to allow HTTP(s)
Again, this rule is bound to the NICs of Host/Client, but the remote IP must be set (in this setup) as any, so that outbound connections to the web can be made.



These 2 rules replace the Global rule (so the global rule is removed from my setup). The rules are placed onto the Hosts NIC card connected to the Client.
Any broadcasts from the client are dropped, and only external comms for the client to remote ports 80,443 are allowed in this setup.

Performing any external scans will be made against, and intercepted by the NIC connected to the web. So it is the rules placed there that will intercept unsolicited inbound.

 

Hi stem,

cheers for the help,i'm getting there ..ok i followed ur instructions and created 3 rules and placed them on the ICS Host NIC MAC

http://pix.nofrag.com/fe/99/fe9c909b0e395c456eee9513d6bb.jpg

* Allow ARP
http://pix.nofrag.com/62/17/20ce0a072223879b24b9899af3c9.jpg

* ICS DNS
http://pix.nofrag.com/50/4d/2421b15c21687c34fc66cdc1b793.jpg

* ICS HTTP's
http://pix.nofrag.com/30/29/e283319f279f259b52ddfb9f11f9.jpg

at this point, the "Weather Channel" (http://www.weather.com/) is running fine XBMC-XBOX
using Port 80
http://pix.nofrag.com/87/3a/baded08a0c63f55525101424f0e8.jpg

Tested with* ICS HTTP/S Filter DISABLED

atm, Ping,Ftp,Shoutcast online radio and SAMBA Sharing(port139,445) isn't working, so i made 3 new filters& modyfied your ICS HTTP Filter to include ports 1024-60000 for online radio streaming(shoutcast)

PING -- ICMP type 0/code 0

* ICMP Allow
http://pix.nofrag.com/e6/41/67d6e74bac800307dd825d157c42.jpg

FTP -- port 21

* FTP Allow
http://pix.nofrag.com/72/83/9b76be27e6671f61a4e9b12266ab.jpg


SAMBA Sharing -- port 139,445(pc-->xbox - ICS)

* SAMBA-XBMC Filter
http://pix.nofrag.com/3f/68/2d824f0d6b21f1adcb089db9ce71.jpg


Shoutcast Online radio streaming

for this one: Shoutcast Online Radio Streaming i modyfied your ICS HTTP/S Rule and added ports: 80,443,1024-60000

http://pix.nofrag.com/4e/5c/21d0f4f9016181cec40fb8fd626f.jpg

can you confirm its alright, the strange thing though, when you watch the log for blocked stuff and enable only the TCP Flags required it wont work?!
when i "tick" ANY its alright

thx again

 

ok,sr for another reply,just letting u know everything is working fine using above filters

i disabled ICMP as its not really required
http://pix.nofrag.com/51/fd/7262ca8d806f26bb2fba584451a2.jpg

haven't checked xlink kay online gaming,think i can fix that later on

btw, 1 more thing, on the internet nic just the wan-start filters are enough?..grc is stealth

from the xbox conn im getting UDP blocks to 255.255.255.255 from 192.168.2.120

thats OK right?, all SPI options are ticked on both NIC's