Questions about CHX

What happened to Stefan? And www.idrci.net is still down. Is that a coincidence or something else?

 

I don't know

 

The DNS is screwy, see https://www.wilderssecurity.com/showthread.php?t=144345 .

 

You should allow ARP from your LAN

Yes. Example: placing a rule to block inbound SYN packets will block only those packets, this is how to block inbound connections.
The SYN-ACK packets are the "reply" from your outbound "SYN(connection)" which would be allowed

Passive FTP works as:- You make an initial connection on remote port 21, then other ports (that are available on the server) are used, these can be any local/remote port 1024-65535. So,.. if you simply have a rule to allow outbound to remote port 21, the connection would start, but the local/remote ports that need to be used for the passive connection would be blocked. When you check "allow outbound Passive FTP", and a connection is detected for remote port 21, then the other connections are allowed.

 

I should allow ARP from any computer on my network? Right now I have the rule set up to allow ARP only from my router's MAC address.

OK... if for some reason I set things up to allow outgoing only to port 21 for the ftp server's command port, then the outgoing connection to the ftp server's data port would be blocked. So I have to check "Allow Outgoing Passive Ftp" to get around that. But how does CHX distinguish between an outgoing TCP connection that is part of a passive ftp session and an outgoing TCP connection that should be blocked?

Thanks for your help, Stem!

 

By doing it this way, there is a minimal of local/remote ports allowed within the ruleset, (outpost pro uses this method).

This is down to the SPI keeping track of the IP that the initial connection was made to.

 

Thanks again, Stem.

Oops, I was wrong about that... I was on a different computer when I typed that message. My rule is set up to allow ARP from everyone, and it needs to be that way, otherwise the internet won't work. I tried setting the source MAC address to my router, and it worked for a few minutes before it stopped working (I guess my machine was in other machines' ARP caches during those few minutes?).

 

Here's another question...

Each filter has a Conditions tab where it lets you specify a Table Type (TCP, UDP, or ICMP), Direction (incoming or outgoing), Connection's Local IP, Connection's Remote IP, Connection's Local Port, and Connection's Remote Port.

What is the purpose of this Condition tab? For example, there is a filter in the sample set for IDENT. On the Properties tab, it says allow incoming TCP packets from any source ip/port to any destination with port=113. And on the Conditions tab, it says Table Type=TCP, Direction=outgoing, Connection's Local IP=Any, Connection's Remote IP=Packet src, Connection's Local Port=Any, Connection's Remote Port=25. What does this mean?

 

You will find that while behind a router, you only need ARP from your LAN. Your rule must be blocking the LAN ARP.
Please post a pic of your ARP rule.

 

The rule itself is only allowed when the condition is met.
Your example:-
An inbound connection to local port 113 will be allowed if(under the condition that) you have an outbound connection to remote port 25 active (or within timeout).

.

 

Here is my current ARP rule, the one that works. The other rule that I tried (which didn't work) had the Source MAC equal to the MAC of my router.

So my ARP rule can be more restrictive?

 

What does the Connection's Remote IP being set to "Packet src" mean? Does that mean that an incoming TCP packet to port 113 will only be allowed if the Source IP of the packet matches the Destination IP of that outbound connection to remote port 25?

So what do you think about the rule? Should I allow IDENT if it is coming from a host that I telnetted to?

 

Make sure the rule is placed on the network card, and not on the IP. Place in the mac addresses (ARP inbound, source router mac->destination PC mac) and make the rule "force allow" (I have set up to check this, and ARP comms are o.k.,...)

EDIT: (update)
To confirm, have been running with this "force allow" ARP source/destination mac rule for 2 hours, all o.k. for the ARP comms from router->PC (and PC outbound ARP broadcasts/replies to, are being allowed)

 

Yes, as far as I am aware, as this should be restricted by SPI

If ident is needed?,.. you would also need to forward this port through the router.

 

Whoops, stupidity on my part. I had put my PC's MAC address into the Source field. Now that I changed it to have the router's MAC address in the Source field and my PC's MAC address in the Destination field, it works fine.

Is it necessary to set the filter's Destination MAC address to my PC's MAC address? Is it possible for my computer to receive a packet that is addressed to a different MAC address?

 

I think the rule destination would need to be the "PC mac" or "any". I do not currently have CHX installed to re-check.

 

Looks like the Destination MAC field needs to be set to "Any." I hadn't touched CHX in about a week, and the internet access suddenly stopped. I looked in the CHX log and noticed that I was getting ARP packets to Destination MAC FF:FF:FF:FF:FF:FF. I had to change my ARP rule to have a Destination MAC of "Any" instead of my PC's MAC, and now it's working again.