I have read lots of positive comments on CHX-I and lots of users on this forum. However, I have no clue how set it up. Any tips would be appreciated.
This setup will work perfectly assuming you have the 2.8.2 version (NOT the BETA) and are directly connected to the internet with no router. Also, I assume you have already dowloaded the program. 1) Download the sample filter set from Here 2) Extract the files 3) Open up the CHX-I Management Console which should be located on your desktop 4) Right click on your Network Interface Card (it's a green box like looking thing located on the left under Packet filters) 5) Click "Properties" 6) For a bare minimum, put checks in "Enable TCP Stateful Inspection", "Enable TCP Stateful Logging", "Enable UDP Stateful Inspection", "Enable UDP Stateful Logging", "Enable ICMP Stateful Inspection", and "Enable ICMP Stateful Logging". If you want, also put a check in "Deny all incoming fragmented packets" and "Deny TCP Packets containing CWR, ECE Flags". 7) Click "Okay" Right click your Network Interface Card again. 9) Click "Import filters from file" 10) Locate the folder that you extracted previously, and select "workstation.sfd" 11) You are done If you need any help with a special situation your computer is in (like filesharing, p2p, behind router, want to be able to be pinged, etc.), don't hesitate to ask. Also, since CHX-I is not an app firewall, it won't filter apps that access the internet. However, you can control ports, ip addresses, etc., so if you want to restrict outbound, just ask and I will help you there as well. Cheers, Alphalutra1
That is exactly the help I needed. Thanks a ton. The only special circumstance I have is that my computer is behind a router.
Tell me if any thing in your log is constantly coming up and then we can see if you are blocking part of the router's function, or something that is just being correctly filtered by CHX-I Alphalutra1
Okay, CHX-I is blocking RIP (routing information protocol) which is used via port 520. This rule should fix it: 1) Right click where all of your rules are located 2) Click new filter 3) Name it "Allow RIP" 4) Make the filter action type "Force Allow" 5) Priority = 1 6) Packet's direction : "Incoming" 7) Protocol = "UDP" Packet's source ip: 192.168.0.1 Mask: 255.255.255.255 9) Packet's source port: 520 10) Packet's destination ip: 192.168.0.255 Mask: 255.255.255.255 11) Click "Okay"
No problem. I suggest reading the user manual if you want to truly be able to harness the power of CHX-I and fully understand and comprehend it. I am still learning myself. If you need any more help, don't hesitate to ask. By the way, there is a CHX-I forum located Here if you want to look into it further. Glad I could help, Alphalutra1
Thank you for the compliment. However, I owe it all to people like you, Arup, and Stephan who have helped me work my head around this firewall. Alphalutra1
Alphaultra has been a great help. Here's whats showing up in the log since I implemented the rule he suggested. Any thoughts or suggestions would be appreciated.
CHX-I is now currently blocking the router broadcast(my router does the same thing). Also, DHCP is being blocked. Here are the rules 1) Right click where all of your rules are located 2) Click new filter 3) Name it "Allow Router Broadcast" 4) Make the filter action type "Force Allow" 5) Priority = 1 6) Packet's direction : "Incoming" 7) Protocol = "UDP" Packet's source ip: Any 9) Packet's source port: Quick list Then enter: "137,138" 10) Packet's destination ip: 192.168.0.255 Mask: 255.255.255.255 11) Packet's destination port: Quick list Then enter: "137,138" 12) Click "Okay" Now to deal with the DHCP: 1) Right click where all of your rules are located 2) Click new filter 3) Name it "Allow DHCP" 4) Make the filter action type "Force Allow" 5) Priority = 1 6) Packet's direction : "Incoming" 7) Protocol = "UDP" Packet's source ip: Any 9) Packet's source port: Quick list Then enter: "67,68" 10) Packet's destination ip: 255.255.255.255 Mask: 255.255.255.255 11) Packet's destination port: Quick list Then enter 67, 68 12) Click "Okay" I also forgot to add one more thing to the rule I told you to make entitled "Allow RIP". 1) Right click "Allow RIP" and select "Properties" 2) Packet's Destination port change from "Any" and make it "Equal to:" and enter in 520. 3) Click "Apply" 4)Click "Okay" This should help with those log entries. Ask if anything else keeps on occuring. Alphalutra1
Alphalutra1, on the last first rule suggested, he should add a rule for 137-139 and 445, if he wants to share files or printer (NetBios)... About the second, the sample rules should already have it... At least, the samples rules for the beta version have it...
I wasn't posting a rule for filesharing, I was just posting one so that his network is able to see he is on it without using filesharing. The sample set for pre-beta does not include the DHCP rule. If he wants filesharing, then yes, your rules would be better. However, I don't want filesharing on my network, so I assumed since he never has stated that he wants it, that I would not go ahead and make the rules for him However, that is excellent advice if the original poster (mannagills) wants to have filesharing. Cheers, Alphalutra1
I didn't know that I should add a rule for "Allow Router Broadcast". Like I said, I will learn things from you... In my case, CHX is blocking it too, so I will add it... I will try to make a global rule for it... About the samples rules for the beta version, provided by Stefan, my samples have the Allow DHCP, and I think that you haven't that rules, because they aren't on the site... If you want them...
I do have the new filtersets, I got them from you over at SSC . I think I may start playing around with payload filtering and streams and such, it might be fun Cheers, Alphalutra1
So, you have the Allow DHCP rule on it This is the rule that I added for "Allow Router Broadcast": http://img470.imageshack.us/img470/730/chxruleallowrouterbroadcast4cx.png http://img519.imageshack.us/img519/1794/chxlistinternalips4hc.png
Pretty clever, I wonder if we can coax Stefen into making it part of his default ruleset . I definetly will safe that picture and make my a filter for sharing with others. Thanks Alphalutra1
I don't share files or printers on my network so the rules that Alphaultra1 provided worked fine. I appreciate the help and the followup immensely.