CHX-I 2.82

Discussion in 'other firewalls' started by Jazzie1, Mar 25, 2005.

Thread Status:
Not open for further replies.
  1. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi all!

    IDRCI.net, released a new version of CHX-I, on the 23rd. Has anyone tried it yet? Normaly I would test/try it myself, but am so darn busy these days, I can't find the time to!!!! :)

    www.idrci.net

    Thanks,
    Jazzie
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,889
    Thanks for the notice Jazzie.. Haven't tried it yet. I wonder what happened to 3.0? I thought it was supposed to be in testing now for a long time...
     
  3. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I did not see a change log.

    How about an update to that CHX-1 rules thread of yours over at SSC?

    The new version looks the same, any changes must be under the hood, so to speak.
     
    Last edited: Mar 25, 2005
  4. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    What do you mean by that Diver?

    I don't have CHX-I installed currently!


    CU
    Jazzie
     
  5. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    WHAT'S NEW - March 2005 Releases:

    - Optimized packet filter driver for large number of simultaneous TCP sessions ( > 5,000)
    - Added the ability to display a fixed number of log files
    - Log to file can now be disabled
    - Corrected IP fragmentation check to allow DF=1,MF=1 or DF=1, FragOffset!=0 (This issue was reported with NFS over UDP traffic)
    - Fixed incorrect state for Ack Rst received on connections in SYN-Sent state.
    - Corrected stateful log for SYN packets on connections in Closed state
    - Restricted console access to root accounts
     
  6. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Thanx for the info on that tBB! :)
    Just seen the link to that myself a few minutes ago... (What's new)

    CU
    Jazzie
     
  7. dukebluedevil

    dukebluedevil Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    177
    Thank you Jazzie & tBB! It is nice to see an update, its been awhile. :)
     
  8. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Kerodo-
    yeah I am also anticipating version 3.0. It is also supposed to be released soon, or the last I heard anyways!!! I will give this newest version a shot when time permits. The last worked perfect with Snortsam.

    BlueDevil, yeah your welcome man. CHX-I is one of the best packet filters I have seen, next to FW-1 (CP)...

    CU
    Jazzie
     
  9. dukebluedevil

    dukebluedevil Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    177
    Jazzie,

    Yeah, CHX-I is awesome! More firewalls in my opinion should be trying to copy what they have done with there packet filtering. :)
     
  10. Stefan_R

    Stefan_R Registered Member

    Joined:
    Dec 12, 2004
    Posts:
    47
    3.0 is out (since February) in beta but not available to the public. As we approach a stable distribution we will release it to the public.

    Regards,

    Stefan.
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I missed the log changes. Doing away with the file is good for the application I have around here, that being keeping a firewwall on the machine of a completely non-technical person. Now, I will not have to erase the logs.
     
  12. Arup

    Arup Guest

    Anyone knows if I can set up CHX-I with NAT/ICS?
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,889
    Thanks Jazzie and Stefan for the info. I'll have to try 2.82 soon and am looking forward very much to 3.0. Excellent package...
     
  14. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
  15. Arup

    Arup Guest

    Many thanks Jazzie, now I finally get to try CHX-1.
     
  16. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Not only that, there is CHX-NAT which is also free for home use AFAIK. The combination of the CHX-Packetfilter and CHX-NAT runs circles around every consumer hardware router/firewall I know of.
     
  17. Arup

    Arup Guest

    Thanks tBB, now you got me even more interested. Now only if I can find something like BZ rules for CHX-I to start with as a good reference point, it would be truly nice.
     
  18. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    The online manuals over at http://www.idrci.net/download.html are really well done with plenty of screenshots and there are downloadable sample filter sets as well. Also the page Jazzie mentioned contains a lot of useful informations, although for a older version of the CHX-Packetfilter.
     
  19. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Arup-

    Here is a good 'ground' ruleset to go by that I use on my system! (Note: if you use DHCP, you will have to enable the rules accordingly. I don't use DHCP!)
    ----------------------------
    Blocked Spoof,Filter,Deny,4 - Highest,Incoming,Any,Ingress Filters - Reserved IP Addresses,192.168.1.100 / 255.255.255.255,Any,- NA -,- NA -,- NA

    Blocked UDP Broadcast ,Filter,Deny,3 - High,Incoming,Any,192.168.1.100 / 255.255.255.255,0.0.0.255 / 255.255.255.255,UDP,137,137,- NA -

    Block Netbios Incoming,Filter,Deny,3 - High,Incoming,Any,Any,Any,UDP,137-138,137-138,- NA -

    Block Netbios Outgoing,Filter,Deny,3 - High,Outgoing,Any,Any,Any,UDP,137-138,137-138,- NA -

    Jazzie DNS,Filter,Force allow,4 - Highest,Incoming,Any,Jazzie DNS,192.168.1.100 / 255.255.255.255,UDP,53,1025-5000,- NA -

    (Disabled) Jazzie DHCP,Filter,Force allow,4 - Highest,Incoming,Any,192.168.1.1 / 255.255.255.255,192.168.1.100 / 255.255.255.255,UDP,67,68,67,68,- NA

    Block ICMP type 10,Filter,Deny,3 - High,Outgoing,Any,Any,Any,ICMP,- NA -,- NA -,Type: 10, Code: 0

    Allow Https Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,443,(!) SYN

    Allow Http Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,80,(!) SYN

    Allow Pop3 Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,110,(!) SYN

    Allow SMTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,25,Any,(!) SYN

    Allow FTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,21,(!) SYN

    MIRc allow outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,6660-6669,7000,(!) SYN

    (Disabled) Allow XDCC through Mirc outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,35532,(!) SYN

    (Disabled) Allow Telnet ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,23,(!) SYN

    Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN

    Allow Whois ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,43,(!) SYN

    Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN

    Allow UDP responses(UDP Stateful option on),Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,UDP,Any,Any,- NA -

    Ping others ICMP,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,ICMP,- NA -,- NA -,Type: 0, Code: 0


    ----------------------------

    Hope this helps as a 'meer' guide! Feel free to edit what you don't use or want! :)

    CU
    Jazzie
     
  20. Arup

    Arup Guest

    Jazzie, thanks for helping out a novice, now along with Kerio, I am on my way to another good adventure. Have used Kerio since version 2.0 and am yet to be hacked, this will just add another layer making it securer.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.