is it possible to make coexist TCP Stateful Packet Inspection supplied by LnS with that one of CHX-i so as to take advantage of the ability of this last one to filter the UDP/ICMP packets with its pseudo-SPI? in other words, to use LnS TCP SPI + CHX-i UDP/ICMP pseudo-SPI.... sorry for my english. I hope you have understood what I wanted to say. thanks in advance.
Hi ita, Your English is fine and welcome to Wilders. I'm sure someone smarter then me will be along shortly to definitely answer your question. I think Jazzie was or is using LnS with CHX-1. Seems to be a good combo to go together if you also want outbound app control. But I see no reason to not implement SPI for TCP/UDP/ICMP in CHX-1 along with LnS. Seems like CHX-1 is getting a good reputation around here and right now I've got it set up on my PC and it stealths all ports by itself. Regards, Jaws Maybe Dholiday was right about getting a CHX-1 forum going. It looks likes interest is growing for CHX-1.
Hi ita° ... and welcome to Wilders It is not recommended to run more than one software firewall on your system. What exactly is it you hope to gain or think is not covered by LnS? Regards, CrazyM
CHX-I implements itself as a driver as part of the kernel. You wouldn't know it's running. It's like you THINK you are not wearing underwear - but you are. I don't think there'll be conflicts.
Truly nice comparison, IDRCI should use it in their website. CHX is truly unobtrusive, if you intend to use it, all you need is an outbound app filter, thats all.
It is possible, but it's probably best to use CHX-I for the SPI packet filtering, and turn off the internet filtering of LnS and just use it for outbound app control. There's really no need to have both filtering normal internet traffic. There also could theoretically be conflicts. I don't know that there would be, but I am just saying that it's always possible. At any rate, double filtering like that certainly is not needed. CHX-I does an excellent job by itself. Just use LnS for app control and you'll be all set.
Perhaps I'm confused but I think Stefan posted the other day that SPI can be used without the presence of static rules in CHX-1. Nowhere did he mention the use of another firewall with CHX's SPI, but then why would you use SPI without some kind of other firewall or filters? Stefan said: I take this to mean you can apply SPI in CHX-1 without any filters, so you would not actually be filtering twice, but now I'm not sure if using just CHX's SPI and all of LnS firewall would cause conflicts. Since Stefan posted in the context of using a different firewall with CHX's SPI, I assumed there would be no problems. Good question that needs a definitive answer.
LNS and CHX-I works fine together, just have to turn off the inet filter and remove all the rules in LNS (including all the packet options!) Like CrazyM stated, running two packet filters will result in conflicts under a heavy load. (IE: p2p/multiple connections). ZA works the same (Just have to turn off the inet filter). Then the question is, why use two packet filters if, one (CHX-I) implements true SPI and the other simulated? cheers DRI
HI all! I have tested just about every firewall, that didn't have dedicated packet filtering [that couldn't be disabled without app filtering], there is. The two I know that work well with CHX-I, is ZA/ZAP and LNS. Some here, like Kerodo and Arup used Jammer under Win2k without a hitch. I am currenly using XP Pro, so I can't use/test it... There is another that worked well, but no longer avaible is Alertwall. The company sold the source code, so it is no longer avaible..... I would like to stress (which I have on more than one occasion), is that I don't use an app filtering firewall to deter 'leak tests' or malware, I use in to control bandwidth and what calls out or home..... CU Jazzie
Jaws - You bring up a good point and that's what I got out of Stefan's post also. However, my response to it all would be, why bother with LnS's filtering at all when CHX-I is far superior? And I think LnS only does TCP SPI. Seems to me that it would be best to just use CHX-I for internet filtering, and then supplement with LnS or ZA or Jammer for app filtering only. With CHX-I filtering internet traffic, there is simply no need for another firewall doing the same.
Hi Jazzie.. I actually preferred Jammer for app control with CHX-I. It gives me a simple notification when an app tries to connect out, with an allow/deny choice, and that's all I wanted, nothing fancy.. Works well for me..
Hi Kerodo, glad it is working for you. And as I hear light on resources as well.. I am using ZAP which uses about 9 megs, so that isn't too bad.. Regards Jazzie
thanks for the numerous answers! I have noticed that persons considered between the best minds in Wilders have already answered .... i'm honored
Jazzie1: Could you give me an example of what you mean by controling bandwidth? Are you mainly concerned about privacy and blocking applications like media players from reporting back, or is there actually some non-malware app stealing enough bandwidth that it needs to be blocked for performance reasons? Generally, my approach to the privacy problem has been to use a host file.
Although it makes no sense to run two or more drivers performing the same function, there are specific circumstances that would allow for peaceful co-existence of different filtering modules. Microsoft's architecture allows for filtering at various levels (e.g. NDIS, ip filter hook, firewall hook and so on) so two or more drivers filtering at different levels should not interfere with each other. From a functionality point of view - CHX SPI can be enabled within the context of a separate static filter - but this approach violates one of the principles of implementing a robust security model: whenever possible do not increase a security system's complexity. The more technology you throw at security problems the less secure the system becomes. Generally - people at home are less concerned with network acls (perhaps because there is nothing spectacular about it such as pop-ups informing asking you if you want to allow an overlapped TCP segment) and more concerned with malware. For this purpose and for the sake of keeping your system's complexity to a low - one should -by all means- make use of one the many applications that provide strong coverage in this particular area such as LnS or ZA. Best Regards, Stefan
Hi all! Hey Diver, long time no hear. what I was referring to is, certaint apps that I have that call out, which I want to control, when it happens, such as MIRC with Zirk script. It likes to update it self every 25 mins (can be turned off, but still likes to call back to the host for an update) which isn't so bad, as long as I am not downloading anything! So lets say I am downloading a hudge file and an update comes for something else at the same time, I want to be able to control what gets the priority of bandwidth (Most likely the download) Otherwise, the bandwidth is sucks from my download through IRC to another app... Stefan- Good hearing from you again! I look forward to the final release of CHX-I 3.0.. Take care Jazzie
Great statement! Can I quote you for use in my signature. I, like some others here, don't feel the need to use outbound app control. I've been testing out CHX and feel perfectly safe using it by itself. Normally I use just a router but I'll be installing CHX on a friends PC that they don't know what to do with outbound app popups anyway. Regards, Jaws
If more firewall vendors followed this principle then we'd truly have some more great products like CHX..
Jazzie, Thanks for the answer. I am around frequently, but do not post that much anymore. Stefan says it all. KISS.
One can truely test their CHX-I set-up from behind a router, by placing them selfs on a DMZ and letting CHX-I filter in both directions. Works very well. I also look forward to the final release of the 3.0 version... Cheers DRI
