CHX-I Connection Problem

Hello. This is my first post at Wilders, but have read your
forum regularly for three years, and learned much from past and
present posters. Many thanks.

Been running CHX-I 2.8.2 on a dial-up connection for a long while
without a single glitch. Over time I evolved a nice port blocking
rule set.

A few days ago, I switched to DSL with a modem/router box that has
a built-in SPI firewall. After the switch, I lost my DSL connectivity
on every reboot. Tracked it down to CHX-I. With CHX-I unistalled
and running only only the XP SP2 FW, all is ok. So I reinstalled CHX-I
with only the IDRCI work station sample set, and turned on all the
CHX-I SPI. As soon as CHX-I is reinstalled, the connectivity
problems reappear, sometimes without even a re-boot. The only
way to get back the connection is to uninstall CHX-I. The old dial-up
connection is deleted, so only the Local Area Connection shows
under Network Connections as LAN or High-Speed Internet.

Also, to start fresh with DSL, I did a complete re-install
of Windows XP and fully updated it.

I registered CHX-I with IDRCI, so install it with a life-time
free key, not the trial version. I am running PG free & Spyware
Terminator HIPS, but do not think they are involved.

As a practical user, and not a computer hobbyist, it will be easy
for you to get beyond my skill level quite quickly.

Any thoughts on correcting my problem would be welcomed.

Thanks again.

 

ive uploaded v3 of CHX and a sample ruleset here. give it a try

 

Hello FadeAway, Welcome to Wilders.

From your info, this is possibly a DHCP or more likely an ARP problem (due to connection loss without re-boot).
Did you check the logs for any blocked packets?

You could try the Wan_start rules, a copy is posted here, these should be loaded/imported onto the NIC (not the IP),
Remove any other rules for the test/check.

We do need to verify this is a rules/config problem, and not a driver conflict. So any info from the logs would be helpful.

 

Thanks WSFuser & Stem.

The CHX-I logs showed nothing that I had not seen before.
They did show blocked packets on ports 67-68 from or to the
router address (192....), don't remember which. But that was on start-up,
and I had initial connectivity. The CHX-I Force Allow rule for
DHCP offer traffic was in place and activated.

If my memory serves correctly, IPConfig was showing a 169....
address, which I know is incorrect.

Do you suggest I try the WAN rules with v.2.8.2, or v.3.0?

 

Hi FadeAway,
The Wan_start rules should be OK for either version.

Ports 67/68 are for DHCP, so this could be the problem.

Try the Wan_start rules, but ensure you place them on the NIC.

 

Thank you Stem. Dinner time here now, so will try in a couple of hours.
I will place the rules in the NIC green icon, not the IP address.

Wish me luck!

 

Success !!!!

A post by VC at the link provided by Stem seemed to indicate that
the WAN_start rules would not work with v.2.8.2, so I installed
v.3.0 and the WAN_start rules provided by WSFuser. Now I am going
to have to read all those threads on version 3 at Wilders & SSC.

I notice there is an ARP rule in the WAN rule set that is not
in the workstation rule set.

The DSL connection held through some surfing, and several reboots,
both with the router on, and one reboot with the router turned
off and then back on to change the IP address.

I have checked only six properties boxes: TCP, UDP, and ICMP
stateful, and logging for each. Should any others be checked?
I seem to recall an old post by Stefan indicating that those
options will in themselves take care of most fragmented packet issues.
I have no need for payload filtering that I know of.

Tracert works, so it appears the WAN rule allowing any ICMP is ok. Should
any ICMP codes be denied? I think the router allows some ICMP to
go through.

I created a deny rule for trojan ports, imported my trojan
ports list and that went ok.

The CHX-I logs are blank, as expected, behind the router.

Any suggestions anyone??

A thousand thanks. I really hated to give up on CHX-I.

 

Hello FadeAway,

My error with the possible compatibiltiy of rulesets. I have installed 2.8 to check (which, if I had taken time (if it had been avialable)) I would of known. So sorry for that.

Good to hear you can now connect.

Regards,