CHX-I v.3 rules...Stem.

Discussion in 'other firewalls' started by incursari, Apr 10, 2007.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @incursari,

    First, a tidy up.
    Open CHX, and go to the IP lists, right click ->New -> New IP list. In the popup, name this "DNS servers", then enter your 3 DNS server IP`s (make sure you press "enter/return" after each entry, so that only 1 IP is on a line). OK this when done.
    Repeat this for the "Spoofed IP" address ranges.

    IP_list.gif

    You then need to create the DNS rule (you can edit one of the rules you already have in place)

    DNS_rule.gif

    Repeat this for the "Spoofed IP" list.

    When done, remove all un-needed DNS/spoofed IP rules.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Now, looking down your list of rules,

    2 rules to allow Ident. If you require this rule, then remove one, if you do not require this rule, remove both.
    In, deny TCP local ports 0-1023, 5000-65535, un-needed due to (SPI) the outbound filtering that will be in place,.. remove this rule.
    inbound ARP, we will come back to this rule.
    Allow In, UDP&TCP_no_SYN un-needed, remove.
    in allow DHCP un-needed in your setup (fixed IP), remove.
    ICMP we will come back to ICMP later, as we will need to see what is required
    In Allow logging from router OK if this is wanted, but on a setup as yours, where the hardware/IP will be static, and with a force allow rule, you should place the source(router) MAC address in the rule.
    Allow Netbios(on LAN) OK
    Deny Landattack OK
    Deny netbios from internetNot needed(due to SPI), remove.
    Deny port 135 Not needed(due to SPI), remove.
    Deny Trojan ports If you believe this is required, then OK
    Outgoing ARP we will come back to this rule.
    Out UDP&TCP_NO_SYN Remove this rule.
    Out:boot Un-needed in your setup(this is DHCP, not needed due to fixed IP)
    Out Deny netbios to internet Un-needed, remove
    Out Deny other DNS un-needed, remove
    Out email POP3 / Out email SMTP OK, but you could add the IP`s of these servers
    Out FTP OK
    ICMP rules As mentioned, we will go through these later
    Out IRC OK
    Out Web Browsers OK
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @incursari,

    When done, move all rules (apart from the ARP rules) onto your NIC IP address. (you can just select and drag the rules over)

    I am just going to setup with your ruleset, to check on the inbound netbios rule (what affect they have on inbound filtering) as I dont normally have such rules in place.

    Update:

    OK, no problem with the netbios rules (I did not expect a problem, but wanted to confirm)

    So, if you have now moved the rules, you should only have 2 rules on the NIC (the rest on the IP), which are the ARP. You only need 1 of these, Myself, I have one ARP rule, set as: Allow out ARP.(I have bound this to my other hardware using a MAC list)

    Now, ICMP.
    You only need to filter in one direction. I personally filter on outbound, as I personally require most ICMP on my LAN (most is due to testing), I simply place a rule to allow all outbound ICMP, but of course, you can filter as required. (you do not need to place a rule to block other ICMP types, as when an allow rule is in place, all others will be blocked)

    You can also add a rule (onto IP address) to "Block inbound TCP SYN".
     
    Last edited: Apr 13, 2007
  4. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Done.

    For "Out: *** Outgoing ARP".
    I need to add FF-FF-FF-FF-FF-FF to my MAC list if not i cant access to internet. See log below.

    Done. Check the rest of the screen shot.
     

    Attached Files:

    Last edited: Apr 13, 2007
  5. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    If I removed this I can’t access the internet. Check the log.
     

    Attached Files:

  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You are having problems because you are still filtering in both directions, (which, as I have mentioned causes problems).

    As I have mention, for example, the DNS rule, you only need to have a rule to allow the outbound, the UDP SPI will allow the returned packets.

    You still have in place rules to allow inbound ICMP, these rules will block all other inbound ICMP / UDP /TCP that do not have a specific rule to allow, and is why packets (such as "ACK SYN") are blocked.

    The ARP outbound to FF:FF:FF:FF:FF:FF is a needed broadcast (I automatically add this myself, and forgot to mention)

    Packets to 192.168.1.255 are LAN broadcasts and should be allowed if you have set the LAN rules up correctly. As example, for the force allow inbound netbios from LAN, this would be "force allow inbound source 192.168.1.0 /255.255.255.0 dest your IP/255.255.255.0

    Edit:
    Just looking at your latest posts again. You should only have 2 inbound allow rules in place

    Force allow for netbios
    Force allow for router log
     
    Last edited: Apr 13, 2007
  7. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Stem, I already change the rule sets according to what you post. So far so good only the rule for the router log.
     

    Attached Files:

  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What is the full rule for the "Allow logging from router"?

    As the router is a fixed IP, the rule should look like (to also allow the inbound broadcast):
    Force allow inbound UDP~ source 192.168.1.1/255.255.255.255 dest your IP/255.255.255.0 local port 162


    Edit,
    Dont forget to add a rule to "Block inbound TCP "SYN".
     
    Last edited: Apr 14, 2007
  9. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Updated. Stem check the two rules that I highlight. I took clearer screen shot now.
     

    Attached Files:

  10. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Alrite already add it. Still monitoring now.
     
  11. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Hello Stem and Alphalutra1, thank you to both of you for your help. After cleanup my rule sets, now it working very smooth and work as intended.
    Thank you again.:thumb:
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @incursari,
    Good to hear all is working correctly.
     
  13. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Also happy it works well. Sorry I haven't helped anymore but I have been away for a couple of days.

    Cheers,

    Alphalutra1
     
  14. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    I have deleted the rules of F1a, F1b and F4, and changed rule F ARP:"allow Incoming ARP" to "Allow Outgoing ARP". It is running good and I have not found any different with original rule setting.

    I tested it in Shields UP! and PC Flank. It had passed every test. (I didn't take the leaktest.)
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @woobook,

    Have you enable all SPI (in the NIC properties?)
    (When the SPI is enabled, replies to the outbound will be allowed.)

    If SPI is enabled:-
    It does look like you need to change/remove some rules.

    First, Remove the first 2 "Deny all" rules. These are not needed.
    Then remove rules: F3, F7 and F8b

    Then add a rule to block inbound TCP SYN.
     
  16. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    I have enable all SPI. I add two "Deny All" rules as follow picture. I don't know if I choose "any" in Eth.Type shall have more power than choose "IP" only. Maybe I only need set the rule for "IP" in Eth.Type because I use Dial-up.

    Do you remember this post 111:
    https://www.wilderssecurity.com/showthread.php?t=165576&page=5
    [/QUOTE]"It may appear as an overlap, but the rule to allow the inbound will not restrict what outbound local ports are used, it will only restrict what local ports would be allowed a reply. With the outbound rule in place, You do not need to add a port block rule, as from the rule in place for the local ports allowed, all others will be blocked, (unless you have allow rules in place to allow other local ports).
    So you can leave them as they are."[/QUOTE]

    So I keep the two direction rule rules.
    If I remove the first 2 "Deny all" rules and the rules: F3, F7 and F8b, how to add the rule of block Inbound TCP SYN. I try it as follow picture.

    Thank you, Stem.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      95.2 KB
      Views:
      330
    • 2.JPG
      2.JPG
      File size:
      83.7 KB
      Views:
      333
    • 4.JPG
      4.JPG
      File size:
      86.9 KB
      Views:
      328
  17. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    My F7 rule.
     

    Attached Files:

    • 3.JPG
      3.JPG
      File size:
      96.2 KB
      Views:
      325
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @woobook,

    Your inbound rules are "force allow", and you should remove them.
     
  19. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    Yes, Stem. This is what I worry about. Allow(Deny All Except) allow give more safe feeling than "force allow".
    But when I set above rule, I thought "Deny All + Force allow" is equal to Allow(Deny All Except), and "deny all" shall has more power because it can Deny more matters when I choose "any" in Eth. Tpye.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @woobook,

    Having inbound "force allow" rules, will allow unsolicited inbound.
     
  21. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    I worry it doesn't block unsolicited inbound when I choose "force allow". I had checked the log. For example, the rule "force allow" inbound:

    Direction: Incoming
    Protocol: TCP
    Packets' Source: Any
    Source Port: 80, 443
    Packets' destination: Any
    Destination port: 1024-4999

    In the log I can still find some records :
    Packets' Source: XXXX
    Source Port: 80
    Packets' destination: My IP
    Destination port: XXXX( in 1024-4999)
    Reason: Out of Connection

    I am not sure if it means that it blocked unsolicited inbound.
    I am using Panda Titanium 2007. Without Chx Panda shall block a lot of unsolicited inbound. After I use Chx, Chx blocks everything. So there isn't any blocking record in Panda logs. But today in my Panda log I found one connection attempt. Maybe it is due to "force allow" which allow unsolicited inbound.
     
  22. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    I get it. After removing "Deny All" and changing "force allow" to "all(deny all except)", in the log I found that Chx begins blocking unsolicited connections.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @woobook,

    You will find the same results if you remove the inbound "Allow(deny all except)" rules. Adding a block inbound TCP SYN rules give better logging (for scans/ inbound connection attempts), and does ensure no inbound connections are allowed.

    Block inbound "TCP SYN" rule:-

    Block TCP SYN.JPG
     
  24. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    It is same result when I remove all "allow inbound" rules. The different is in the log. Under "allow inbound" rules, it logs "Does not match allow policy" when it blocks unsolicited inbound. After I remove all "allow inbound" rules, it logs as "Unsolicited UDP" or "Out of connection".
    I had tested in Shields UP! and PC Flank, it blocks every thing.
    It is a clear rule.

    Thanks for your help.
     

    Attached Files:

    • 10.JPG
      10.JPG
      File size:
      63.4 KB
      Views:
      1,205
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.