Question about non app FW

Hello,

Some of the FWs with good ratings in those boards are CHX or GhostWall for example.
Those are FWs without any application control, ie just packet filtering :
I authorize connections to port 80 is what we can do with them.

Those FWs needs to work with another soft, like AntiHook or ProcessGuard for example (which I don't know very well).

Now here is a configuration example (stupid conf maybe, just for test purpose) :
I want to use FF to surf for http pages
I want to use IE to surf for https pages

Using my CHX/GhostWall, I need to allow outgoing connections to 80 and 443, and that's all.
But that's not enough, for sure.
So what ? Is my (stupid) configuration example possible to do using GW/AH for example (or whatever) ?

 

Unfortunately, that would get you no where . You need DNS or else you need to have memorized every ip for every segment of the websites you want to go to(which is impossible). Here are the outgoing rules which I have with my beautiful little CHX-I

1) Loopback:

Direction: Outgoing
Protocol: TCP and UDP
Packets' source: Any
Source Port: Any(you can restrict this to 1024-4999)
Packets' desination. 127.0.0.0/255.0.0.0
Destination port: Any

2) E-mail

Direction: Outgoing
Protocol: TCP
Packets' source: Any
Source Port: 1024-4999 (local ports)
Packets' destination: IPs of my e-mail servers
Destination port: 25, 110

3) ICMP 3

Direction: Outgoing
Protocol: ICMP
Packets' source: Any
Source Port: Any
Packets' Destination: My two DNS servers
Destination port: n/a
Specific Flags: ICMP Type 3 Code 3

4) ICMP 0

Direction: Outgoing
Protocol: ICMP
Packets' source: Any
Source Port: Any
Packets' Destination: Any
Destination port: n/a
Specific Flags: ICMP Type 0 Code Any

5) ICMP 8

Direction: Outgoing
Protocol: ICMP
Packets' source: Any
Source Port: Any
Packets' Destination: Any
Destination port: n/a
Specific Flags: ICMP Type 8 Code 0

6) Normal Web Surfing

Direction: Outgoing
Protocol: TCP
Packets' Source: Any
Source Port: 1024-4999
Packets' destination: Any
Destination port: 80, 443

7) DNS Traffic

Direction: Outgoing
Protocol: UDP
Packets' Source: Any
Source Port: Any
Packets' Destination: The ips of my two dns servers
Destination Port: 53

8. FTP Traffic (Usually turned off)

Direction: Outgoing
Protocol: TCP
Packets' source: ANy
Source Port: 1024-4999
Packets' Destination: Any
Destination Port: 21

These rules are permissive, and any packet that doesn't match one of these filters will not be allowed through. These will help you be able to successfully access the internet, do e-mail, and do FTP downloads. You of course will need to add to them for file and printer sharing in your network, P2P, Games, etc. I would recommend Ghostwall for starters, and then CHX-I once you feel like you got the hang of things(warning, CHX-I comes with no filters to start out with, so it does NOTHING until configured).

Happy safe computing

Alphalutra1

 

Thanks for your reply, but I think you haven't understood what I meant.
But you're right, my test config was so stupid I gonna change it.

Let say you have a soft mail client. You want to have access to your pop3/impa4 servers.
But you don't want your mail client to access to port 80 (to not let him load web pages in mails).
But for sure you need web access for your favorite browser !

So with your favorite CHX, you will have some email rules.
But the thing is you need to let you mailer access to the network, and you need to have a rule in CHX for web surfing too.

So... What is the solution now to restrict accesses for the mailer ?

 

To restrict a client application that way with a firewall you would need one that is both application and rules based. So firewalls like 8Signs, CHX-I or GhostWall cannot do it.

If using a rule based firewall with no application control you can simply configure you e-mail client to not display/use HTML or read in plain text only.

Regards,

CrazyM

 

OK CrazyM, that's was what I thought, but some posts in those boards put me in confusion.

 

Yep, it's not possible with CHX or Ghostwall. What you need and might want to consider is Kerio 2.1.5 for example. It's a great one for that kind of restricting of apps to certain ports etc. Another one might be Jetico or Filseclab. All are free.

 

Hello,

you can also combine CHX + AppDefend. The last one enables you, between many other things, to allow or deny applications wanting to connect out (but you cannot configure protocols and ports thought).
AppDefend is not a firewall, more information at this forum :
https://www.wilderssecurity.com/forumdisplay.php?f=78

You can thus keep your favorite packet filter, and have a very basic network application monitoring.

 

With CHX + Appdefend, I cannot configure what my example needs (my mailer for pop/smtp only, and not for http) because appdefend is not port-restrictive, only access or not to network.
Kerio, Jetico, .. are OK, but I really like the way CHX or GW are working.

I just need something which doesn't seem to exist : a tool with port restriction on an application basis.
Or CHX + Kerio 2 for appli, but having 2 FW running together... hummmm I don't want that.

There is no solution for me, maybe my brain has too much strange ideas (will try to change brain).
Please give me the new "appdefend + port-restriction" new tool, and I will keep my brain.

 

There is nothing I know of that you can run with CHX or Ghost to get what you want without some redundant filtering. If the app port restriction is that important to you, then I'd suggest perhaps either adding Kerio 2 to CHX, or just remove CHX altogether and run Kerio 2 for example, or Jetico. Many folks have used CHX and Kerio 2 together without harm. The total ram use is only about 8 or 9mb, cpu use is nil. It doesn't get much lighter than that. But if running 2 filtering apps bothers you then I'd just dump CHX and go with one of your typical rule based firewalls. That's about all you can do I think.

 

Hey look, a long post made by you on the exact subject
https://www.wilderssecurity.com/showthread.php?t=72595&highlight=chx-i

Thought this might be useful info. to those considering the option. Also browse
http://www.dslreports.com/forum/kerio for some topics on kerio 2.1.5 with CHX-I

Alphalutra1

 

Those were the days...

 

I wouldn't know, just joined recently, but hey, I love lookin at old threads to give me info

Alphalutra1

 

I do not understand, you don't want a firewall with application filtering (see title "Question about non app FW"), so you are required to use a packet filter (CHX for instance), but on the other hand you want to restrict particular apps (your email client, browser, etc...) to only few ports.

So on hand hand you refuse app control, and on the other hand you need it

If you want above all to restrict your applications only to the ports you want, you need a firewall with an application filtering, simply (Kerio alone enables you to do just that).

If you absolutly want to keep CHX, then you can use the solution I have said. CHX restricts the OS to the allowed ports only 80 443 53 110 etc... and AppDefend tells which app has the right to connect out or not, which indirectly does what you want.

Now, we cannot know better than yourself what you want, choose your solution, test it, and report here if you encounter any problem.

Regards,
gkweb.

 

The problem comes when he wants to allow a single app to access some ports but not others. For example, he wants to allow his email program access to 25 and 110, but not 80. Apparently AppDefend is just an on/off switch and can't control the app's by port. So the only way is to use a traditional rules based firewall like Kerio, Jetico, Filseclab, etc etc.

 

You're right even I don't know exactly want I want.
In my profesionnal life, I'm working with perimeters FW (FW-1, PIX, ...), so everyday I see rules based FW, exactly the way CHX works.
That's why I would prefer using CHX instead of non app FW.

On the other hand, I like to be as restrictive as possible, for my mailer soft for example.
So I need app restriction.

I will test a CHX with Antihook/Appdefend/whatever. You're numerous to using it, I'm sure it's a good solution too (event if my mailer is allowed to go to port 80 !).

 

CHX-I is a non app fw

 

Yes, just a typo in my last post ! Sorry.

 

No problem, we all make tpyos

Alphalutra1