Hello. This is my first post at Wilders, but have read your forum regularly for three years, and learned much from past and present posters. Many thanks. Been running CHX-I 2.8.2 on a dial-up connection for a long while without a single glitch. Over time I evolved a nice port blocking rule set. A few days ago, I switched to DSL with a modem/router box that has a built-in SPI firewall. After the switch, I lost my DSL connectivity on every reboot. Tracked it down to CHX-I. With CHX-I unistalled and running only only the XP SP2 FW, all is ok. So I reinstalled CHX-I with only the IDRCI work station sample set, and turned on all the CHX-I SPI. As soon as CHX-I is reinstalled, the connectivity problems reappear, sometimes without even a re-boot. The only way to get back the connection is to uninstall CHX-I. The old dial-up connection is deleted, so only the Local Area Connection shows under Network Connections as LAN or High-Speed Internet. Also, to start fresh with DSL, I did a complete re-install of Windows XP and fully updated it. I registered CHX-I with IDRCI, so install it with a life-time free key, not the trial version. I am running PG free & Spyware Terminator HIPS, but do not think they are involved. As a practical user, and not a computer hobbyist, it will be easy for you to get beyond my skill level quite quickly. Any thoughts on correcting my problem would be welcomed. Thanks again.
Hello FadeAway, Welcome to Wilders. From your info, this is possibly a DHCP or more likely an ARP problem (due to connection loss without re-boot). Did you check the logs for any blocked packets? You could try the Wan_start rules, a copy is posted here, these should be loaded/imported onto the NIC (not the IP), Remove any other rules for the test/check. We do need to verify this is a rules/config problem, and not a driver conflict. So any info from the logs would be helpful.
Thanks WSFuser & Stem. The CHX-I logs showed nothing that I had not seen before. They did show blocked packets on ports 67-68 from or to the router address (192....), don't remember which. But that was on start-up, and I had initial connectivity. The CHX-I Force Allow rule for DHCP offer traffic was in place and activated. If my memory serves correctly, IPConfig was showing a 169.... address, which I know is incorrect. Do you suggest I try the WAN rules with v.2.8.2, or v.3.0?
Hi FadeAway, The Wan_start rules should be OK for either version. Ports 67/68 are for DHCP, so this could be the problem. Try the Wan_start rules, but ensure you place them on the NIC.
Thank you Stem. Dinner time here now, so will try in a couple of hours. I will place the rules in the NIC green icon, not the IP address. Wish me luck!
Success !!!! A post by VC at the link provided by Stem seemed to indicate that the WAN_start rules would not work with v.2.8.2, so I installed v.3.0 and the WAN_start rules provided by WSFuser. Now I am going to have to read all those threads on version 3 at Wilders & SSC. I notice there is an ARP rule in the WAN rule set that is not in the workstation rule set. The DSL connection held through some surfing, and several reboots, both with the router on, and one reboot with the router turned off and then back on to change the IP address. I have checked only six properties boxes: TCP, UDP, and ICMP stateful, and logging for each. Should any others be checked? I seem to recall an old post by Stefan indicating that those options will in themselves take care of most fragmented packet issues. I have no need for payload filtering that I know of. Tracert works, so it appears the WAN rule allowing any ICMP is ok. Should any ICMP codes be denied? I think the router allows some ICMP to go through. I created a deny rule for trojan ports, imported my trojan ports list and that went ok. The CHX-I logs are blank, as expected, behind the router. Any suggestions anyone?? A thousand thanks. I really hated to give up on CHX-I.
Hello FadeAway, My error with the possible compatibiltiy of rulesets. I have installed 2.8 to check (which, if I had taken time (if it had been avialable)) I would of known. So sorry for that. Good to hear you can now connect. Regards,