Who wants another firewall?

Would anyone here be interested in a new CHX-like firewall with IPv6 support?

 

Would rather see a Kerio 2.1.5-like firewall with IPv6 support.
Or an Atguard 3.22-like firewall with IPv6 support that works on XP and later.

I tried CHX-I when it was available but found the rules priority more confusing than Kerio/Atguard and now that I use a router, outbound is really more important than inbound.

 

I wouldn't mind.

 

Most definitely.

 

NO !

John

 

+1

 

Just a "NO" answer doesn't help much. Would you care to explain?

 

Beside IPv6 support, what else would you like to have?

 

Yes, that would be most excellent

Not too many bells and whistles, other than detailed, easy to read logging, and of course excellent packet filtering capabilities like the original, just to keep things Spartan-like Oh, one more thing...would it be possible to add the capability to filter selected associated services with svchost as it is with Win7 fw, or will there be no program/process filtering control as is the case with the original?

 

Easy - I`ve got a perfectly good firewall, why do I want another ?

John

 

+1

 

Thanks. That's actually one of the reasons I was asking this question. In today's world we have lots of firewall flavors to chose from and I was wondering if resurrecting another one would be good or bad.

 

UDP/ICMP tracking (pseudo stateful inspection) as in the original.
It pretty much eliminated the need to do some things like
locking down port 53 to a single DNS server, IIRC.

 

Not sure. I don't know enough about CHX to decide. I read a little about CHX after googling it, but i'm not sure what the difference is with it, and most other firewalls. Is it like LnS? Could someone make a comparison with a Firewall already on the market?

 

Well, they all do the same thing. Thousands of windows. Deeper and deeper and one can hardly keep straight the processing priorities or the duplication of rules. Ever tried chnaging a rule that occurs in many applications? It hurts.

Is that a real proposal?
Centurion, are you a firewall writer?

Not familiar with CHX. Take Kerio 2.1.5, add
1. self protection (not sure if need, but I think I read about it someplace)
2. IPv6
3. In the GUI for filter rules,
3a. add a way to use a rule as source for a similar rule (copy, paste, edit)
3b. checkmark column for Logging similar to the current enable/disable
3c. add a way to add IP addresses in CIDR format
3d. allow to move or delete a group of rules (multiselect)
4. Add another Custom Address Group, or subclassification thereof, since one group is not sufficient
5. Add port groups (very optional) [I just edited this line, I did not mean protocol groups]
6. Display log in columns to make quick review easier
7. Keep all filter rules on one screen, that's where Kerio shines
8. Maybe add SHA checksums to applications
9. Keep tiny memory use

 

+1 to a modern-day Kerio 2.1.5, it's been on my wishlist for years.

 

For those curious about what CHX-I is, the following may shed some light on it:

-http://members.shaw.ca/bind-pe_and_ics/chxi.htm

(not sure if there's a better link, but this is the best I could find).

I trialed it for only a short time some 5 years ago on XP, and it seemed to work perfectly as expected with no noticeable impact on system performance.

 

Some info here:
Look 'n' Stop vs. CHX-I vs. 8Signs
-http://www.mntolympus.org/phpBB3/viewtopic.php?t=2032
(there was a nice comparaison graphical page there but I cannot find it)

And for sure that I would be interested by a new CHX-I / 8Signs firewall compatible with 7x64!

 

Was anyone making extensive use of conditional filters?
What about triggers and payload filtering?

 

No, I didn't but I probably would if they helped to bolster the packet filtering capabilities in regards to both security and efficiency. At the time I used the original I only set up some basic rules.

 

I would've expected at least some people will use the payload filtering and triggers as a simple packet-payload based port-knocking facility.
...
Thank you all for answering.
I'm not sure if it is too early to draw a conclusion to my initial question, but so far, it looks like only a handful of people (mostly security experts) will see some value in a new such piece of software. Nowadays we have huge amount of space on our harddrives, 2 or 4 CPUs cores (going idle most of the time) and no one seems to ask for more performance, less space and efficient use of the resources from a new piece of software. Big software corporation are impressing us with more and more features, fancy UIs and focus mostly on adding that little feature a genius developer came up with out of nowhere, just to be ahead of the competition.
So, I guess, any attempt to compete with just a piece of efficiently crafted code with a minimal set of features focused on the needs of the expert users will sooner or later come to failure.

 

I miss chx-i and would be very happen if you at least made it Win 7 64bit compatible. It's hard to fine a true stateful packet filter these days.

 

w7 support the ipv6 but xp not


can understand the gain about upv6 ? more secure for us?

 

If you where thinking of trying to make a living out of a re-incarnation of CHX-i, then that would be a very doubtful reality.
Most users now look at leak-test prevention rather than packet filtering. [ It as always been beyond my grasp of understanding as to why anyone would want to sandbox malware on their system, rather than stopping it getting on their HD in the first place, but, whatever.]

Anyway, good idea while it lasted.

Regards,

- Steve

 

there is a new firewall coming that is totally different. Nuff said.