Can CHX-I do better than LNS for me?

Discussion in 'other firewalls' started by charincol, Dec 14, 2005.

Thread Status:
Not open for further replies.
  1. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    This is a question mostly for Arup, Kerodo, and Jazzie (maybe even Phant0m since I'm using his rules) since you three seem to know the most about CHX-I.

    Right now my "hardware" firewall/router is an older box that has a FreeBSD firewall installed on it called pfSense which can be found at http://www.pfsense.com. I use it mainly because of its excellent traffic shaping for VoIP. I have my computer, one for the kids, and my VoIP adapter on a switch behind it. The box has a 375mhz cpu and it handles 6000+ connections at a time (the most I've seen) when running eMule and bittorrent together without breaking a sweat. Obviously I have to turn off LNS's SPI because of it's 256 connection limit. I'm using Phant0m's rules with my own LAN and P2P rules placed according to Phant0m's recommendation so that all traffic gets filtered by most of his rules (because my rules are not at the top of the list).

    I really like how LNS has the option to make it so certain rule(s) are only activated when a certain application is launched. Therefore, even though my hardware firewall accepts incoming connections for P2P and forwards them to my computer, LNS only accepts them when eMule or my bittorrent client is running.

    What I want to know is if CHX-I has an a similar option to trigger a specific port when an application is launched. I would also like to know if CHX-I with the sample LAN rules and my own force allow rules for P2P would be more secure than LNS. I've gathered that CHX-I can handle thousands of connections and its SPI does more than just TCP/UDP.

    If I start using CHX-I, I would probably just turn off the internet filter on LNS and just use the app filter instead of unistalling LNS. I am also wondering if AppDefend would be just as good cause that could possibly replace LNS's app filter and PG at the same time.

    (Yes I do understand all the blah, blah, blah that this might be redundant and use more resources and all but i'm not concerned because when I boot my XP machine I have over 30 processes running and my RAM usage is aroung 155 megs. Only half of them are from Windows.)
     
  2. Arup

    Arup Guest

    Port triggering is in the CHX 3 beta, not in the release, as for CHX replacing LnS, don't think so as its purely inbound, you can make outbound blocking rules, but certainly not app based by any means.
     
  3. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    So your saying the port triggering only works by having a rule set up that when traffic is coming in on such and such port, then allow another port, port list, or range of ports to allow incoming connections?

    If so, then I guess I will just stick with LNS's packet filtering since it can do app based port triggering or whatever term someone want's to call it.
     
  4. Stefan_R

    Stefan_R Registered Member

    Joined:
    Dec 12, 2004
    Posts:
    47
    Chances are you'd want to stick with your current solution.

    CHX is a network tool. Unaware of user-space applications.

    Best Regards,

    Stefan.
     
  5. Arup

    Arup Guest


    Exactly, its like port triggering in routers where they are also know as special app rules.
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I must not be too creative this evening, but someone please give me an example of when (or why) port triggering would be used.
     
  7. Arup

    Arup Guest

    When any app using inbound/outbound needs multiple connection, port triggering is called for, specially P2P, games, etc. The router is not app based so it needs to know that its normal to allow all that.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Where applicable is this port triggering session specific or global?

    Regards,

    CrazyM
     
  9. Arup

    Arup Guest

    Its global in routers, any apps needing connection out through the specified port will get multiple connection access.
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    This may be ignorant of me, but I have been using CHX-I along with my current firewall. I have all packet inspection options in CHX-I enabled, but no rules besides the ones absolutely needed for my router. CHX-I picks up a lot with it's packet filter (like 'Invalid Flags', 'Out of connection' and 'Unsolicited UDP') that my regular firewall (and my router) don't. CHX-I and my current firewall (Outpost) seem to work nicely together, perhaps on entirely different levels?

    Anyways that's just what I do, whether it is good or bad ;|
     
Thread Status:
Not open for further replies.