CHX-I 2.82

Discussion in 'other firewalls' started by Jazzie1, Mar 25, 2005.

Thread Status:
Not open for further replies.
  1. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi all!

    IDRCI.net, released a new version of CHX-I, on the 23rd. Has anyone tried it yet? Normaly I would test/try it myself, but am so darn busy these days, I can't find the time to!!!! :)

    www.idrci.net

    Thanks,
    Jazzie
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for the notice Jazzie.. Haven't tried it yet. I wonder what happened to 3.0? I thought it was supposed to be in testing now for a long time...
     
  3. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I did not see a change log.

    How about an update to that CHX-1 rules thread of yours over at SSC?

    The new version looks the same, any changes must be under the hood, so to speak.
     
    Last edited: Mar 25, 2005
  4. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    What do you mean by that Diver?

    I don't have CHX-I installed currently!


    CU
    Jazzie
     
  5. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    WHAT'S NEW - March 2005 Releases:

    - Optimized packet filter driver for large number of simultaneous TCP sessions ( > 5,000)
    - Added the ability to display a fixed number of log files
    - Log to file can now be disabled
    - Corrected IP fragmentation check to allow DF=1,MF=1 or DF=1, FragOffset!=0 (This issue was reported with NFS over UDP traffic)
    - Fixed incorrect state for Ack Rst received on connections in SYN-Sent state.
    - Corrected stateful log for SYN packets on connections in Closed state
    - Restricted console access to root accounts
     
  6. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Thanx for the info on that tBB! :)
    Just seen the link to that myself a few minutes ago... (What's new)

    CU
    Jazzie
     
  7. dukebluedevil

    dukebluedevil Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    177
    Thank you Jazzie & tBB! It is nice to see an update, its been awhile. :)
     
  8. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Kerodo-
    yeah I am also anticipating version 3.0. It is also supposed to be released soon, or the last I heard anyways!!! I will give this newest version a shot when time permits. The last worked perfect with Snortsam.

    BlueDevil, yeah your welcome man. CHX-I is one of the best packet filters I have seen, next to FW-1 (CP)...

    CU
    Jazzie
     
  9. dukebluedevil

    dukebluedevil Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    177
    Jazzie,

    Yeah, CHX-I is awesome! More firewalls in my opinion should be trying to copy what they have done with there packet filtering. :)
     
  10. Stefan_R

    Stefan_R Registered Member

    Joined:
    Dec 12, 2004
    Posts:
    47
    3.0 is out (since February) in beta but not available to the public. As we approach a stable distribution we will release it to the public.

    Regards,

    Stefan.
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I missed the log changes. Doing away with the file is good for the application I have around here, that being keeping a firewwall on the machine of a completely non-technical person. Now, I will not have to erase the logs.
     
  12. Arup

    Arup Guest

    Anyone knows if I can set up CHX-I with NAT/ICS?
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks Jazzie and Stefan for the info. I'll have to try 2.82 soon and am looking forward very much to 3.0. Excellent package...
     
  14. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
  15. Arup

    Arup Guest

    Many thanks Jazzie, now I finally get to try CHX-1.
     
  16. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    Not only that, there is CHX-NAT which is also free for home use AFAIK. The combination of the CHX-Packetfilter and CHX-NAT runs circles around every consumer hardware router/firewall I know of.
     
  17. Arup

    Arup Guest

    Thanks tBB, now you got me even more interested. Now only if I can find something like BZ rules for CHX-I to start with as a good reference point, it would be truly nice.
     
  18. tBB

    tBB Registered Member

    Joined:
    Mar 27, 2003
    Posts:
    25
    Location:
    .de
    The online manuals over at http://www.idrci.net/download.html are really well done with plenty of screenshots and there are downloadable sample filter sets as well. Also the page Jazzie mentioned contains a lot of useful informations, although for a older version of the CHX-Packetfilter.
     
  19. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Arup-

    Here is a good 'ground' ruleset to go by that I use on my system! (Note: if you use DHCP, you will have to enable the rules accordingly. I don't use DHCP!)
    ----------------------------
    Blocked Spoof,Filter,Deny,4 - Highest,Incoming,Any,Ingress Filters - Reserved IP Addresses,192.168.1.100 / 255.255.255.255,Any,- NA -,- NA -,- NA

    Blocked UDP Broadcast ,Filter,Deny,3 - High,Incoming,Any,192.168.1.100 / 255.255.255.255,0.0.0.255 / 255.255.255.255,UDP,137,137,- NA -

    Block Netbios Incoming,Filter,Deny,3 - High,Incoming,Any,Any,Any,UDP,137-138,137-138,- NA -

    Block Netbios Outgoing,Filter,Deny,3 - High,Outgoing,Any,Any,Any,UDP,137-138,137-138,- NA -

    Jazzie DNS,Filter,Force allow,4 - Highest,Incoming,Any,Jazzie DNS,192.168.1.100 / 255.255.255.255,UDP,53,1025-5000,- NA -

    (Disabled) Jazzie DHCP,Filter,Force allow,4 - Highest,Incoming,Any,192.168.1.1 / 255.255.255.255,192.168.1.100 / 255.255.255.255,UDP,67,68,67,68,- NA

    Block ICMP type 10,Filter,Deny,3 - High,Outgoing,Any,Any,Any,ICMP,- NA -,- NA -,Type: 10, Code: 0

    Allow Https Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,443,(!) SYN

    Allow Http Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,80,(!) SYN

    Allow Pop3 Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,110,(!) SYN

    Allow SMTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,25,Any,(!) SYN

    Allow FTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,21,(!) SYN

    MIRc allow outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,6660-6669,7000,(!) SYN

    (Disabled) Allow XDCC through Mirc outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,35532,(!) SYN

    (Disabled) Allow Telnet ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,23,(!) SYN

    Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN

    Allow Whois ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP,Any,43,(!) SYN

    Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,TCP+UDP,Any,1863,(!) SYN

    Allow UDP responses(UDP Stateful option on),Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,UDP,Any,Any,- NA -

    Ping others ICMP,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.100 / 255.255.255.255,ICMP,- NA -,- NA -,Type: 0, Code: 0


    ----------------------------

    Hope this helps as a 'meer' guide! Feel free to edit what you don't use or want! :)

    CU
    Jazzie
     
  20. Arup

    Arup Guest

    Jazzie, thanks for helping out a novice, now along with Kerio, I am on my way to another good adventure. Have used Kerio since version 2.0 and am yet to be hacked, this will just add another layer making it securer.
     
Thread Status:
Not open for further replies.