Hi all! IDRCI.net, released a new version of CHX-I, on the 23rd. Has anyone tried it yet? Normaly I would test/try it myself, but am so darn busy these days, I can't find the time to!!!! www.idrci.net Thanks, Jazzie
Thanks for the notice Jazzie.. Haven't tried it yet. I wonder what happened to 3.0? I thought it was supposed to be in testing now for a long time...
I did not see a change log. How about an update to that CHX-1 rules thread of yours over at SSC? The new version looks the same, any changes must be under the hood, so to speak.
WHAT'S NEW - March 2005 Releases: - Optimized packet filter driver for large number of simultaneous TCP sessions ( > 5,000) - Added the ability to display a fixed number of log files - Log to file can now be disabled - Corrected IP fragmentation check to allow DF=1,MF=1 or DF=1, FragOffset!=0 (This issue was reported with NFS over UDP traffic) - Fixed incorrect state for Ack Rst received on connections in SYN-Sent state. - Corrected stateful log for SYN packets on connections in Closed state - Restricted console access to root accounts
Thanx for the info on that tBB! Just seen the link to that myself a few minutes ago... (What's new) CU Jazzie
Kerodo- yeah I am also anticipating version 3.0. It is also supposed to be released soon, or the last I heard anyways!!! I will give this newest version a shot when time permits. The last worked perfect with Snortsam. BlueDevil, yeah your welcome man. CHX-I is one of the best packet filters I have seen, next to FW-1 (CP)... CU Jazzie
Jazzie, Yeah, CHX-I is awesome! More firewalls in my opinion should be trying to copy what they have done with there packet filtering.
3.0 is out (since February) in beta but not available to the public. As we approach a stable distribution we will release it to the public. Regards, Stefan.
I missed the log changes. Doing away with the file is good for the application I have around here, that being keeping a firewwall on the machine of a completely non-technical person. Now, I will not have to erase the logs.
Thanks Jazzie and Stefan for the info. I'll have to try 2.82 soon and am looking forward very much to 3.0. Excellent package...
Arup- Yes, check out this site for filters and examples! http://members.shaw.ca/BIND-PE_and_ICS/chxi.htm CU Jazzie
Not only that, there is CHX-NAT which is also free for home use AFAIK. The combination of the CHX-Packetfilter and CHX-NAT runs circles around every consumer hardware router/firewall I know of.
Thanks tBB, now you got me even more interested. Now only if I can find something like BZ rules for CHX-I to start with as a good reference point, it would be truly nice.
The online manuals over at http://www.idrci.net/download.html are really well done with plenty of screenshots and there are downloadable sample filter sets as well. Also the page Jazzie mentioned contains a lot of useful informations, although for a older version of the CHX-Packetfilter.
Arup- Here is a good 'ground' ruleset to go by that I use on my system! (Note: if you use DHCP, you will have to enable the rules accordingly. I don't use DHCP!) ---------------------------- Blocked Spoof,Filter,Deny,4 - Highest,Incoming,Any,Ingress Filters - Reserved IP Addresses,192.168.1.100 / 255.255.255.255,Any,- NA -,- NA -,- NA Blocked UDP Broadcast ,Filter,Deny,3 - High,Incoming,Any,192.168.1.100 / 255.255.255.255,0.0.0.255 / 255.255.255.255,UDP,137,137,- NA - Block Netbios Incoming,Filter,Deny,3 - High,Incoming,Any,Any,Any,UDP,137-138,137-138,- NA - Block Netbios Outgoing,Filter,Deny,3 - High,Outgoing,Any,Any,Any,UDP,137-138,137-138,- NA - Jazzie DNS,Filter,Force allow,4 - Highest,Incoming,Any,Jazzie DNS,192.168.1.100 / 255.255.255.255,UDP,53,1025-5000,- NA - (Disabled) Jazzie DHCP,Filter,Force allow,4 - Highest,Incoming,Any,192.168.1.1 / 255.255.255.255,192.168.1.100 / 255.255.255.255,UDP,67,68,67,68,- NA Block ICMP type 10,Filter,Deny,3 - High,Outgoing,Any,Any,Any,ICMP,- NA -,- NA -,Type: 10, Code: 0 Allow Https Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,443,(!) SYN Allow Http Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,80,(!) SYN Allow Pop3 Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,110,(!) SYN Allow SMTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,25,Any,(!) SYN Allow FTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,21,(!) SYN MIRc allow outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,6660-6669,7000,(!) SYN (Disabled) Allow XDCC through Mirc outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,35532,(!) SYN (Disabled) Allow Telnet ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,23,(!) SYN Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN Allow Whois ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,43,(!) SYN Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN Allow UDP responses(UDP Stateful option on),Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,UDP,Any,Any,- NA - Ping others ICMP,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,ICMP,- NA -,- NA -,Type: 0, Code: 0 ---------------------------- Hope this helps as a 'meer' guide! Feel free to edit what you don't use or want! CU Jazzie
Jazzie, thanks for helping out a novice, now along with Kerio, I am on my way to another good adventure. Have used Kerio since version 2.0 and am yet to be hacked, this will just add another layer making it securer.