Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. feniks
    Offline

    feniks Registered Member

    Thank you very much that this looks encouraging and interesting.

    I already download version 2.8 and 3.0 which should I start to use?

    Is there any place to get 3.0 manual as the links here on wilders are mostly not working now. And fluxgfx have manual for 2.8.

    Is the http://www.fluxgfx.com/ssc/ the same as sscnetwork?

    Are these downloads and drivers from this thread most actual? http://www.wilderssecurity.com/showthread.php?t=166264&highlight=chx-i+drivers
    Last edited: Nov 20, 2007
  2. FadeAway
    Offline

    FadeAway Registered Member

    Version 2.8 required an activation key after 30 days, which is no longer
    available for new users. Use version 3, as it requires no activation.
    Version 3 mostly just added payload filtering, which is unnecessary
    for the average home user.

    There is an uploaded file which includes the v.3 installer, the WAN starter
    rule set & the version 3 manual here:

    http://rapidshare.com/files/71075321/CHX3.zip.html


    Initial setup info can be found in this thread:

    http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

    For version 3, import the WAN start rules, not the workstation rules.

    Remember, CHX allows all until you import or create a rule set.

    If you create you own rules, always remember to set "allow" rules
    at the lowest priority. It's all in the manual and in previous threads
    here at Wilders. You will need to do lots of reading.


    Good luck
  3. feniks
    Offline

    feniks Registered Member

    I am behind router if that change anything. But well I start reading. ;)

    Dont worry about that - I am very inquisitive person. Some may say even to much. :D

    I start to suspect that CHX-I with decent HIPS as aplication layer will not made concession to any of well known and popular application/rule based software firewalls and maybe is what I am looking for...

    PS. Downloaded without problems, thank you.
  4. larryb52
    Offline

    larryb52 Registered Member

    I know what I like when I run firewall & AV, Look n' stop works for me, it is rule based & let's 'me' be in control of my system also advises what is calling out, I don't know about others but all the tests in the world including leak tests doesn't help me feel in control. I know others are suppose to be better at leak test but I like control over leaktests...
  5. Diver
    Offline

    Diver Registered Member

    Can Stem or anyone give the names of any HIPS with application control for internet access. This would appear to be less trouble than a HIPS that restricts all applications not white listed.

    Stem is also very lucky to have five beautiful girls in his office.
  6. WSFuser
    Offline

    WSFuser Registered Member

    AppDefend, SSM, and ProSecurity *I think*.
  7. 19monty64
    Offline

    19monty64 Registered Member

    ThreatFire using custom rules, listed here also. Uses no extra resources using ruleset from post 5-7
  8. Hairy Coo
    Offline

    Hairy Coo Registered Member

    Monty-have you customised TF and is it a good idea ?
  9. 19monty64
    Offline

    19monty64 Registered Member

    Yes, I did the modifications from post 5-7, and left a couple apps. off the list. When I opened them I got 1 pop-up, allowed and remember, no problems. A couple of reboots, a bit of games and surfing, no slow-down. TF is still using less than 8MB/ram. For the 5 mins. it took to add the rules I'd say it's definitely worth the effort. The rest of the custom rules, well, I'll read up a bit more before tackling them. *****:thumb: :thumb:
  10. Stem
    Offline

    Stem Firewall Expert

    I was not refering to forum rules or etiquette, but on the fact that when involved in a thread with "which one is better" then flame wars happen.


    First, I do not use (or install on users PC`s I support) any firewall that provides application access control then gives hard_coded rules to its own applications to allow them access, regardless of if it make unknown connections or not (as it could anyway~ without users allowing this), so from that I will (in my reply) discard ZA and ESS.

    WDF? what is that?

    OA, no, it only makes state table, it will not check flags/sequence etc of TCP
  11. WSFuser
    Offline

    WSFuser Registered Member

    WDF = Webroot Desktop Firewall
  12. feniks
    Offline

    feniks Registered Member

    Fully understand and accept. And I see specific questions about feature etc. are accepted. :)

    Yes like WSFuser said Webroot Desktop Firewall. You tested Privatefirewall but I did not find there my answer. (about inbound protectcion as SPI (full?) SPI implementation etc.) On other post you said about Privatefirewall "I still have to check the packet filtering, so my opinion could change"

    But you said on the test thread that you kind of pleased with outcome of the test and wait for some improvements. Webroot Desktop Firewall is version 6.0 of Privatefirewall, maybe you will like to test it and check if they fix what you did not like? :)
    Last edited: Nov 21, 2007
  13. rhuds13
    Offline

    rhuds13 Registered Member

    Would a person who has just say AV and SAS Pro and does not use P2P and such be safe just using Vista or XP FW?
  14. FadeAway
    Offline

    FadeAway Registered Member

    I don't use bi-directional (inbound/outbound) firewalls because I
    believe they provide a false sense of security. To my way of thinking,
    the very existence of leak tests proves that. Others will disagree I'm
    sure. My preference is to combine solid inbound firewalling with separate
    internal detection such as HIPS & IDS which is not part of the firewall
    software.

    To answer your question, I would feel safe with your setup for general
    use, but if I were visiting my bank online, I'd want a HIPS or IDS
    in the mix.
  15. Stem
    Offline

    Stem Firewall Expert

    WDF, right,... I have not had time to look at that yet.
    With Privatefirewall, I held off, as there where a couple of bugs, and the fact the firewall did not intercept localhost.
  16. Diver
    Offline

    Diver Registered Member

    As I read this the question comes to mind, are the typical application oriented software firewalls being breached by inbound attacks? If so, which ones are the weakest?

    If you have your computer behind a router you are not directly connected to the internet. Are there any brands of models of routers that are being breached by inbound attacks more so than others? Does it help to use open source firmware like Tomato or DD-WRT?

    Even when I take my notebook on the road, it will be behind a router or wireless access point. There are going to be other users, but not more than 100 as compared to a direct internet connection with millions of users. Why isn't a typical application oriented firewall going to cut it?

    I hear these concerns, but as I look around in various forums and tech news sites, I find a lack of tales of any of these problems happening. In all fairness I find a lack of tales of folks having a application oriented firewall save the day when it catches a bot phoning home that got on there via a drive by download and was missed by the AV because it was zero day.

    It seems to me there is neither a compelling case for a sophisticated inbound packet filter nor an application oriented firewall that does not leak, within the bounds of Matousec's world.
  17. Kerodo
    Online

    Kerodo Registered Member

    Diver, I think you have a good point, and one which I completely agree with. Especially regarding inbound. I would bet that perhaps 1 home user in 100,000 has ever seen any kind of real "attack" on either his router or firewall. To my mind, talking about the quality of inbound protection is pretty much a waste of time. Stick a simple cheap NAT router in front of your PC and call it a day. That's all you need....
  18. Diver
    Offline

    Diver Registered Member

    From the Matousec site:

    "A good personal firewall offers both inbound and outbound protection. The inbound protection means that packets sent from the Internet or local area network to your computer are filtered and only ports that you want to be open are accessible. This protection is standard and is very good and reliable in almost all personal firewalls. On the other hand is the outbound protection which cause problems to all vendors nowadays."

    That's his opinion. If he is right, except for a few exceptions all software firewalls get the inbound filtering job done.
  19. Stem
    Offline

    Stem Firewall Expert

    Do you think that full SPI is sophisticated, and beyound correct implimentation by firewalls?
    Realise, that a good SPI firewall will filter out bad packets/ spoof attempts etc, without a need for user interaction.

    What do you think that "Inbound filtering" actually is?
  20. Diver
    Offline

    Diver Registered Member

    Stem,

    I can't answer your questions on inbound filtering because I don't understand the technology the way you do. All I know is that is what Matousec, a supposed expert says. Because of my legal training there is a suspect aspect to a guy who makes his living testing outbound leak performance making such a statement. There is a difference between a packet getting through that shouldn't and that packet doing any damage.


    Most of the successful attacks today are coming via http from cracked websites or downloaded Trojan games and screen savers. As far as I know, the default firewall in XP stops the worms floating around the internet even on a direct connection. I have not seen any advisories that say otherwise. For a directed attack I don't know, but do I really have to worry about that?

    The question is, are the typical personal firewalls that most of us use actually being breached by inbound attacks, not are they theoretically subject to an attack?

    My hunch is when an attack is not detected (after the fact) by a so called leak proof firewall it is probably a result of the user misinterpreting the pop up warning and allowing the connection because they were concentrating on something else.
  21. Stem
    Offline

    Stem Firewall Expert

    Diver,
    At one time, "Matousec" site was concerned with coding/stability of firewalls, but now it appears mainly to be a "leaktest" site, using "leaks" taken from various other sites.
    I have seen firewalls fail due to various types (or a combination) of illigal/bad packets, which should be dropped by a good SPI
  22. Diver
    Offline

    Diver Registered Member

    Stem,

    I am not trying to pull your leg or anything. For me interpreting the available information and making personal cost to benefit calculations is the problem.

    As I have indicated before, for Matousec, the temple of leak testing, to dismiss the inbound performance differences of all firewalls in a single sentence is suspect.

    On the other hand, It is very difficult to obtain meaningful objective information on inbound performance, and on the practical benefit of either improved inbound or outbound (leak) filtering. It would be very interesting if a few novices were put in front of Matousec's computers while they were being tested and told to respond to the firewall prompts whole browsing or doing some other work. They would get it wrong most of the time.

    Someone like yourself will know the technical benefits of different designs, and the possibilities for things to go wrong, but that is not the same as things actually going wrong at a rate that one must be concerned about. An XP SP1 machine will last about 20 minutes with no firewall and a direct connection. How long does a patched SP2 box go with the Windows firewall on with a direct connection and just sitting there without browsing? It must be indefinitely, or we would be hearing about it all the time. Believe me, I will not be running a patched SP2 box with just the windows firewall on a direct internet connection, or any other computer on a direct internet connection.

    When I mention cost to benefit ratios, it is not so much the difference between a $40 firewall and one that is free as the amount of trouble it is to deal with the program. Just look at the thread on the free Comodo 3.0 and see how many members of this board are overwhelmed by it. The same could be said for several HIPS or firewalls with HIPS features.

    It is unfortunate, but the most serious threats are from packets being passed properly by proper firewalls. Those are trojan downloads and drive by attacks.
  23. Stem
    Offline

    Stem Firewall Expert

    Diver,
    I have seen various definitions of "Drive by attacks", from attacks on routers / attempt to spoof/poison the DNS cache /exploit browsers / redirect browsers, etc, so it would depend of your definition of "Drive by attack".

    If we are looking at "drive by attacks"~ "download", then I agree that most firewalls will not filter to such a level, we would need to move on to "deep packet inspection" (or "Payload Filtering" as put by CHX-I). But this does come at a cost of CPU time, and I know users of P2P clients would not be happy with the CPU taken for the processing.(certainly with "Injoy"~,... CHX-I, I have not really made much testing with the "payload filters", as it was a little buggy at times).

    Bottom line, for me, if there was only one possible bypass/problem due to lack of full SPI, then this is enough for me to chase vendors to impliment full SPI.
    Take a look at Outpost pro "attack plugin", would you consider this outdated/not needed?
  24. Diver
    Offline

    Diver Registered Member

    Stem-

    A drive by attack, according to an article I saw recently involves using a security flaw in the browser to cause an executable file in downloaded into the cache of the browser to execute when it should not.

    I am not familiar with the Outpost plug-in that you mentioned. Perhaps you can give us more details.

    It would be helpful to all of us if you would give more details in general. You know a lot more than most of us. I, for one, would like to know about the inbound capabilities of more firewalls, and just what the real world benefits of these capabilities are. Matousec's statement that nearly all of them have the inbound side worked out is a bit frustrating.
  25. feniks
    Offline

    feniks Registered Member

    Can I also have same request? :)

    Stem You did test Privatefirewall but in the thread about it there is no answer to my question and you did not answer it here. May I try again? :)

    The question was:

    You tested Privatefirewall but I did not find there my answer. (about inbound protection as SPI (full?) SPI implementation etc.)

    Also it is blocking many http and https in/out while browsing what it is SPI filtering like CHX-I or something else?

    In CHX-I the log is more detailed and by the nature of this program is easy assume what is the reason for blocking. However in PF the log is not so detailed. o_O
Thread Status:
Not open for further replies.