Kerio 2 and CHX-I

Kerio 2.1.5 + CHX-I worked fine together for 4 months already ^_^

 

Kerio 2 and CHX work fine together, with CHX catching any fragmented packets that Kerio 2 let's thru. So it's a nice solution to that problem. Be aware however, that with both running, you are doing double filtering. For example, all your browser port 80 traffic gets filtered once by Kerio 2 and again by CHX. This is not the ideal situation, but when I used both together, I didn't find any apparent slowdowns or troubles.

 

I think this would be a great combination in many ways.

It's unfortunate though that in a heay usage LAN use scenario, Kerio 2.x and 4.x series can significantly drop the throughput on a 100Mbit/s or 1000Mbit/s LAN.

Also, wouldn't it be nice if Kerio was able to write filtering rules straight to CHX-I filtering rulebase (now I'm dreaming, but it would be nice in terms of usability).

Still searching for that elusive packet/app filter combo... Seems to be so hard to find

 

I have been following this thread and have some queries.

I tried CHX-I and really could not make any sense of it and after leaving it on the system for a few weeks I got rid of it since it was serving no purpose.

After reading several threads it appears that it only monitors inbound. As I am behind a f/w router it would seem in my case to serve no purpose. I use Kerio 215 for outbound control.

Any comments please.

 

You can create outbound rules in CHX-I but only for port or IP address restriction/permission (no application control).

Have a good day.

 

As Trespasser says, you can write rules to filter outbound traffic by address and port, however, CHX does no app filtering in the traditional sense. So, if you have a router, then CHX may be pretty much redundant unless you do create some outbound filtering rules to restrict ports and so on.

If you had trouble using it, I would suggest a good read of the online docs. That is the best place to learn about how CHX works. Also perhaps try starting with the sample rules on their site, and then modify them to suit your needs.

In my opinion, CHX is one of the best, if not the best, packet filters. I have used 2.81 and 2.82 extensively without seeing even one bug ever, and have also used the 3.0 beta with good results, although there are bugs in it still. It is by far the lightest of them all, and gets the job done well.

 

Halcyon - Seems as though the main ones used with CHX for app control are ZAP and LnS. I am right now using Jammer with CHX with success, but as Blue mentions, it doesn't appear to work with XP and they also don't sell it anymore on the Agnitum site. But on Win2k here, it's a great combo. Jazzie, another member here, uses ZA/CHX combo and seems happy with it. I would still like to try that combo to see if app rules would truly work properly.

 

I am unable to try CHX-I right now because it won't run on Windows 98 SE, and that's what I have. I might try it later on after install Win2K Pro.

I am running Kerio 2.1.5 right now, though, with BlitzenZeus's standard default replacement ruleset. So far, so good.

I wasn't planning on switching to Kerio at this time, but I started experiencing sporadic BSODs after installing NetVeda Safety.Net, so I had an incentive to try a different firewall.

What I like about Kerio 2.1.5 is that I can see the rules and edit them as needed. On many other firewalls, there are built-in rules that one can't even see, let alone edit.

Phil

 

Thanks Kerodo for confirming what I thought. I may take the easy road and just stay with Kerio. I have built up a good ruleset over the years which seems to have kept my out of mischief, not that I court it anyway. Really don't like writing script based rules.

 

Provided one has basic understanding, it is fairly easy to write filters in CHX, for instance, I wrote a Deny Trojan rule specifying the direction, protocol and ports and as you can see from the attached screenshot, it is pretty self explanatory.

 

Hi All! As Arup stated, it is easy to make rules for CHX-I, once you understand the architecture!
----------------------------

With relation to Inbound (Outbound) from your network interface. So, you have to reverse how most conventional fw's rules are set up, with 'outbound' directions to destination ports/hosts, as shown below....

Regards
Jazzie

 

Does this CHX-I thing work with a home computer with dial-up internet?

 

Yes it does!

http://members.shaw.ca/BIND-PE_and_ICS/Table_of_Contents.htm

This is a good place to reference! Will show you how to set it up.

Regards
Jazzie

 

Thanks jazzie, that guide was useful. Bookmarked!

Now if anyone else can answer my questions:
1. I went to http://members.shaw.ca/BIND-PE_and_ICS/chxi001.htm and did what the screenshot shows
2. I downloaded the .zip called "Filter set" on http://members.shaw.ca/BIND-PE_and_ICS/index061.htm then unzipped it and imported it to CHX-I - Packet Filters (Global)
3. I use a dial-up modem why does it show "WAN" as my interface? I thought my modem is my interface...
4. How does CHX-I start? Theres no entry in services.msc or msconfig

Am I protected now?
Thanks

(Sorry, but I am computer literate but when it comes to security packet things like this, I'm a total newbie)

 

You should also do the same for ICMP and not just UDP (That screen shot is taken from an older version of CHX-I)

When you use a Dial-up connection, that is considered to be on the WAN side and not LAN. CHX-I is driver loaded (flthook.sys) Windows/system32...
Did you scan yourself after you applied the filters? Another thing you might do is change the DNS entry from any address to your ISP DNS ip's.


Cheers
DRI

 

Yes, I did a quick scan and full scan at GRC Shields Up and it came up as all stealthed.

Thanks for confirming my suspecisons...

 

squash,
Have you turned SPI on yet? If not, then click on the "+" sign next to Packet Filters (Global), right click on Interface:Wan, then click on Properties. I put a check in all boxes except "Allow outgoing active FTP", "Enable UDP stateful logging, and "Enable ICMP stateful logging". One thing I noticed about CHX-I, that I didn't like, is unless you disable logging you soon will accumulate a large amount of log files.

 

A Small price to pay for having a good SPI packet filter firewall! This can be enabled or disabled per rule.

Cheers
DRI

 

Logging in CHX is its best feature, one I cant live without. The site mentioned by Jazzie has newer filters namely TW, I suggest everyone check those out, they have even more rules but mostly for ICS machines and those running Treewalk, otherwise the standard filters there work the best.

 

Heres what I did:

I use CHX-I with Kerio 2.15, so I dont think I need to enable logging and I don't think I need to allow outgoing FTP because I don't upload FTP files - and if this computer becomes infected by a trojan I don't want the people to be able to send stuff from this computer.

What do I check or uncheck, I want the most secure as possible - I don't even need FTP.?

 

Hi

Just uncheck anything to do with FTP connections and enable logging on all protocols (TCP+UDP+ICMP}. That way, you can see exactly what fragmented packets get passed Kerio .........

Regards,
Jazzie