Questions about CHX

I have a laptop that uses a wireless connection, with the access point sitting behind a router. After installing CHX 3.0, I imported the Workstation sample ruleset, but I could not get an IP address using the wireless connection. Checking the logs, I could see that the router was trying to send UDP packets from source port 67 to destination port 68 on my laptop. I noticed that the rule called "DHCP Offer Traffic" allowed UDP packets from source port 67/68, but the Packets' Destination was set to "Masked IP: IP: 255.255.255.255, Mask: 255.255.255.255". I changed the Packets' Destination to "Any", and then I was able to get an IP address. But I still couldn't connect to the internet, so after checking the logs again, I saw that the router was trying to send ARP packets to my laptop. I created a new filter to allow ARP, and I was able to connect to the internet.

I do have some questions:

1) The logs say that the router sends a UDP packet to my laptop's port 520 twice a minute. But the Destination IP address says 192.168.1.255, and my laptop's IP address is 192.168.1.35. Does the address 192.168.1.255 have a special meaning? How is my laptop getting packets that aren't addressed to it?

2) The logs also say that my other Windows machine behind the router is sending UDP packets to my laptop's ports 137 and 138. Is this normal? Why is that machine trying to send packets to my laptop? And the Destination IP address for those is also 192.168.1.255.

3) Earlier I mentioned that I had to change the "DHCP Offer Traffic" rule to have a Packets' Destination of "Any" instead of the "Masked IP". Is it OK to keep it as "Any", or should I make it more restrictive? I would think that I can keep it as "Any", because how can I get packets addressed to someone else, but then why am I getting those packets addressed to 192.168.1.255?

4) I see that all of the filters from the Workstation sample ruleset are set to Lowest priority, except for the "DHCP Offer Traffic" rule, which is set to Highest priority. But since it is a Force Allow rule, it will still work the same if I set it to Lowest priority, right? I'm unsure about why these priority levels are needed.

5) Has anyone done anything with payload filters? I tried reading the docs and it seems pretty confusing.

Thanks for your help!

 

Hello delerious, and Welcome to Wilders,

My main concern at this point is, have you set up your security for the wireless network?
Please first check this, there is some info here

Your main questions seem to be,..
Port 137/138. This is netBIOS
IP 192.168.1.255, this will be your Broadcast address (some info)

 

Hi,

I don't know what rules and adapters configurations you have, so lets try this, that are the most correct settings for almost users...

Download the 'wan_start.zip' from this post: https://www.wilderssecurity.com/showthread.php?p=796686#post796686

and read this post: https://www.wilderssecurity.com/showthread.php?p=790731#post790731

The port 137/138 are for Windows Sharing Files...
You need to add a rule if you want to allow that...

Then tell me if you still have the same problems

 

stem: thank you for the reply. I do have security on my wireless network... I use encryption keys, I do not broadcast the SSID, I only allow access by MAC address.

vampiric_crow: OK, I erased all my filters and imported the ones in that wan_start.zip file. I could not get an IP address, so I had to modify your DHCP rule. I had to change the Packets Destination from "Masked IP" to "Any" before I could get an IP address. Also, is there any reason why that rule is Normal priority, but all the others are Lowest priority? Just trying to understand this priority business.

I still get those UDP packets to my port 520... should I allow or deny those?

Also, your other post mentioned a Deny Ingress Filters rule. That didn't come with the wan_start.zip that I downloaded.

 

@stem,
My browser didn't update its cache, so I didn't see your post talking about the port 137/138....

@delerious,
I have to make a webpage to put all this info about CHX, to avoid problems and help other users...

I upload the file again with "***Deny Ingress filters" already changed, and with a rule to Allow Router Broadcast.
About the 137/138, it could be Broadcast from your router. Check your logs.

WAN_start_VC.zip

Can you post the log to see when the CHX is blocking the DHCP with this sample?
Did you configure your Network Adapter with the settings that I suggested?

The priority is to check the rules by their importance.
You can read more on the http://www.idrci.net/fver/html/index.html, in "Filter Priorities" and "Filter Action Priority"...

The port 520 is for Routing Information Protocol (info 1 and 2).
My advice is if you don't have problem with that, block it.

 

I downloaded your WAN_start_VC.zip. Actually it had a different name and was a RAR file. But I extracted it and imported your filters. There is no rule named "Deny Ingress Filters", but there are 2 IP list files. I guess I can create the Deny Ingress rule myself... but what exactly does it do, and why is it needed? I'm interested in learning more about this stuff.

After importing your filters, it takes me over 30 seconds to establish a wireless connection. Without using CHX I can establish a connection in a few seconds, so something weird is going on. I attached a screenshot of the log... I cleared it out and then tried to establish the connection, so just look at the earliest entries. You can see that the router was trying to send UDP packets from its port 67 to my port 68, and CHX rejected them, even though I have your "Allow DHCP" filter. I looked at that filter, and it has the Packets Destination set to "Masked IP" with the IP set to 255.255.255.255 and the Mask set to 255.255.255.255. What exactly does that mean? I changed it to "Any", and then it took me less than 5 seconds to establish the connection, so something is screwed up with that "Masked IP" setting.

 

About the "***Deny Ingress Rules" you should read these:
http://www.fluxgfx.com/ssc/showthread.php?t=140&highlight=ingress
http://www.fluxgfx.com/ssc/showthread.php?t=285&highlight=ingress

About why you have to change the DHCP rule, I don't know
Maybe someone can help you, or you can go to the CHX Forum.

 

I think this will be due to the rule mentioned is for a "Broadcast" from the internet, the rule should be set for the router IP broadcast (192.168.1.255)

 

Let we see if that rule will resolve the problem...

 

It would need to be: Allow 192.168.1.0/192.168.1.255

 

Stem, do you mean keep the "Allow DHCP" rule set to "Masked IP" with IP set to 192.168.1.0 and Mask set to 192.168.1.255? Or you mean something else? I'll mess around with this when I get home.

 

delerious,

Yes,
IP set to 192.168.1.0 and Mask set to 192.168.1.255

 

OK, I set the IP to 192.168.1.0 and the Mask to 192.168.1.255. That ended up being worse than the 255.255.255.255/255.255.255.255 setting, because I couldn't establish a connection, period. Not after 30 seconds, not after several minutes.

I attached a capture of the log, there's something interesting there. Notice how the first 3 UDP packets from the router's port 67 to my port 68 were sent to Destination IP 192.168.1.35. That was all within the first 30 seconds, when I couldn't get a connection. But then the next time the router tried to send a UDP packet from its port 67, it used a Destination IP of 255.255.255.255. I guess that's when the 255.255.255.255/255.255.255.255 rule decides to allow it, but the 192.168.1.0/192.168.1.255 rule still blocks it.

Any other ideas?

 

EDIT:
Just re-reading your post,

A rule to Allow from 192.168.1.0/192.168.1.255 would cover this inbound. Please post a screen capture of the rule you have in place for this.


Stem,

 

OK, I tried the 192.168.1.0/192.168.1.255 again and still couldn't get connected after several minutes. Here's a capture of that rule, and you can see all the other rules in the background.

 

Sorry,... incorrect masking,.. correction...

In the rule "Packet source" place IP 192.168.1.1 Mask 255.255.255.0: "Packet destination" 192.168.1.35 Mask 255.255.255.0 (192.168.1.35 is your PC IP, yes?)

If this still does not work correctly, change destination to IP 192.168.1.1 Mask 255.255.255.0


I was thinking of router broadcast in my last posts. (router broadcast for your router IP is 192.168.1.255)

 

Yes, 192.168.1.35 is what the router usually gives my laptop. But the router isn't guaranteed to always give that IP, right? So shouldn't I use something besides 192.168.1.35 in the Packet Destination?

 

Yes, use IP 192.168.1.1 Mask 255.255.255.0,... this will cover all IP range from 192.168.1.1 to 192.168.1.255

 

So it sounds like I want "Masked IP with IP=192.168.1.1 and Mask=255.255.255.0" for both the Packet Source and Packet Destination. But if that covers the range from 192.168.1.1 to 192.168.1.255, then won't that also allow other computers on the network (besides the router) to send me the UDP packets from their port 67/68? Shouldn't I set the Packet Source to include only the IP of the router?

 

This is of no security risk, but yes, you can tighten by placing a source of IP 192.168.1.1 Mask 255.255.255.255, which would only allow the router IP 192.168.1.1

____
Stem

 

stem: Thanks for the help! Now I can establish a wireless connection in just a few seconds, like normal!

vampiric_crow: I read those 2 links about the "Deny Ingress filters", and I'm still not quite sure what the point of that is? Even Stefan said that they should not be necessary for a workstation computer.

 

Well,.. we get there in the end


So how is CHX going then,.. reports for the forum,...

 

So far it seems to be working well, but I'm just doing web surfing on this computer. I like CHX because it doesn't use much memory (from what I can tell it uses less than 2 MB). I also ran some download tests with CHX turned on and off, and it doesn't affect the transfer rate at all.

I also looked at WIPFW earlier today, which is another low resource packet filter. I didn't bother to install it, I only ran the GUI to see what that was like... I like the CHX console better because everything is contained in there (the WIPFW gui only lets you view/edit rules, it doesn't let you look at logs).

 

Hi delerious,
Yes I remember WIP,.. if you are using CHX3 then go with that, I know there is some confusion about implimentation, but I think this TCP/IP is worth a use. Way back at your first post, you mentioned the "payload filters", I havent really gone into this much, .. there was a question,.. for packet size but never got much further (no reply),

____
Stem

 

Yep, you could disable or delete it...

I tried to have more information, but like you saw, without reply...