CHX-I questions... again :)

Hello fred22,

The TCP "SYN" is only the start (first packet) of the connection. So if you just create a rule to allow this state (SYN) packet, then the connection would not complete.

I did mention that broadcasts would be dropped. The main one showing is to port 1900, which is uPnP, basically, the Xbox is looking for, and trying to connect to hardware on the system. You should be ok to leave this blocked, but if you do have any problems, you could allow this.

The base wan-start rules are very open, but if you where to tighten these, then you need to consider the rules for the "client". Do not forget, that any outbound from the client is going through the shared internet connection, so at the minimal, you would need to place rules to allow the returned packets for the client (your Xbox)

 

OK, i understand

uPnP has to do with routers right?, i checked XBMC "network" settings and Disabled UPnP
http://pix.nofrag.com/cd/44/2a826713a6c42ac649aa8e035f2e.jpg
http://pix.nofrag.com/f2/a0/f605d04cabe51d46fd7791457ab4.jpg

the blocked UDP 1900 port is gone, i keep getting this one though..port 4905

another one i don't get:

i have "Allow ARP" rule in place,why is it logging this?

here im getting confused again , pls show me the rules u would make, i can give u all info via PM if no problem for u?


atm, i removed the wan-start filter for the Internet NIC(SPI settings enabled) on it and enabled LnS internet filtering again.
the 192.168.2.1 NIC is running the rules u made(+SPI settings)

ps: if LNS internet filtering is running i'm getting occasionally some NETBIOS Blocks,thats a real mistery..lol

i have Client for Microsoft Networks,File&Printer Sharing,NETBIOS over TCP/IP disabled on the Internet NIC

http://pix.nofrag.com/18/fd/2faa2b80d54c1cb5d8edfd37aece.jpg
http://pix.nofrag.com/81/9f/4943913fbe4e2efb3bdd0cb5149d.jpg

 

ok

Compatible hardware, routers are (seen as) main target, as these are gateways,

OK, so no problem with settings,

This I do not know, possibly/probably a broadcast from the Xbox hardware, keep it contained (blocked)

Possible settings of your SPI (block unsolicited ARP). ARP is constant, hardware will continue to broadcast,.. for ARP, if these setting where incorrect, you would lose connection instantly.(Basically, ARP is how the hardware is given an IP)

I did/do not mean to confuse. but, chx is not simple (this is base tcp/ip), and can confuse very easily(due to direction of SPI). As for the Netbios, the base WAN_START will not block this. Look at the rules, this allow all ports, including netbios.

 

You can add a port block rule, to block the outbound (if the outbound is blocked, then any attempts at inbound on the blocked ports will be seen as unsolicited, and dropped)I have run this rule with the wan_start to check and all ok.

Just replace the source ports with the ones you want to block (example 137,13

 

stem, thanks for that port block rule, i'll use that..

on post no 101, My rules for Windows File Sharing is only for SYN but I don't have any connection problems. Is it okay to leave it that way or should I just allow any type of TCP packets for WFS?

 

Hi glentium,
What other rules have you in place. If you are using the wan_start, then any outbound for filesharing will be allowed.

 

Yes, i'm using the wan_start plus I allow Broadcast and DNS..

 

yo guys, a bit late reply, anyway thanks for posting the port block rule

tighten up the wan-start rules would be awsome, the only problem,i dont know where to start editten rules..lol..i know

ps: Stem can i PM you my ISP info etc..and pls give me example of edited wan-start rules

thanks for all the help anyways!!

 

Hi Stem

I am using Chx-i 3.0 now. I set two rules as follow and I am not sure if they are overlapped.
Is it useful to add your Port Block rule mentioned in your post 104.

 

You can of course tighten up the rules. But you do need to realise, as I have mentioned to you, that you would also need to set rules to allow the Xbox.

I personally make outbound filtering. An example is for the DNS lookups which I bind to my DNS servers. This is not a problem for me, as my DNS servers do not change thier IP (well not for the 2 1/2 years I have been with this ISP)

I place my DNS server IP`s into an IP list "DNS servers" and then create a rule:-



OK, placing such a rule is good practice, but, with CHX this will then block all other outbound. So then further rules, for HTTP, mail etc then need to be made.(for you, you would also need all the rules for your Xbox)
You can follow this path, this is up to you.

 

Hello,
It may appear as an overlap, but the rule to allow the inbound will not restrict what outbound local ports are used, it will only restrict what local ports would be allowed a reply. With the outbound rule in place, You do not need to add a port block rule, as from the rule in place for the local ports allowed, all others will be blocked, (unless you have allow rules in place to allow other local ports).
So you can leave them as they are.

 

Thank You Very Much!
https://www.wilderssecurity.com/images/smilies/cheesy.gif

 

Hi Stem
I have already had two rules mentioned above, why my PC still outbound to remote port 3170 when I update BoClean or Dr.Web.

 

Hello woobook,

It looks like the updates are via FTP. Have you got the "Allow active/passive FTP" selected in the SPI?

 

Yes, I have selected Allow active/passive FTP.
I am using Kerio 2.1.5 with chx-i 3.0. I have a rule "Block All Outbound" in kerio,
and I have a rule allow BoClean update. At begin I don't have a rule to allow Dr.web Cureit update. So when I download update file from Dr.Web kerio block it because the remote ports don't match the rule. I can download update file after I set two rules in kerio to allow Dr.Web update.
I think when I update, my pc surly connected to the remote ports like 3170, 64567, 64001... not only port 21.
So I don't know why chx-i let it pass.

 

It is because you have selected "Allow passive FTP" in the SPI. With this option enabled, it will allow all the other ports required for the transfer via FTP. If you disable this option, then those ports would be blocked.

Basically:
Passive FTP will first make a connection to the FTP server on remote port 21, but then connections to remote ports 1024-65535 will be made/used.

When you enable the "Allow passive FTP" in CHX it will allow these ports to be used after a connection to remote port 21 is made, without the need to place such an open rule.

 

Ah! It's much clearer now. Thank you very much.

 

Hey stem,

thanks much for all the help, i give up though, its to difficult for me...

 

@Stem: I see quite a number of entries in my Chx log about incoming Eth Type 0x24, 0x50, and other hex values with destination mac of FF FF FF FF FF FF, with reason "Does not match allow policy," what are those packets? I don't see any effect on my network with those packets being blocked, I'm just curious what those are...

 

@glentium,
They are broadcasts, most would call them background noise.

A list of ethernet type codes can be found here

 

Thanks Stem, LAN can sure get very noisy!

 

If you are on a private / home LAN then the broadcasts should be at a minimal, as the router should be blocking/ filtering any broadcasts from the Internet.

Could you please post(or PM) log examples (I am curious)

 

chxlog link PMed...