CHX-I Connection Problem

Discussion in 'other firewalls' started by FadeAway, Apr 6, 2007.

Thread Status:
Not open for further replies.
  1. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Hello. This is my first post at Wilders, but have read your
    forum regularly for three years, and learned much from past and
    present posters. Many thanks.

    Been running CHX-I 2.8.2 on a dial-up connection for a long while
    without a single glitch. Over time I evolved a nice port blocking
    rule set.

    A few days ago, I switched to DSL with a modem/router box that has
    a built-in SPI firewall. After the switch, I lost my DSL connectivity
    on every reboot. Tracked it down to CHX-I. With CHX-I unistalled
    and running only only the XP SP2 FW, all is ok. So I reinstalled CHX-I
    with only the IDRCI work station sample set, and turned on all the
    CHX-I SPI. As soon as CHX-I is reinstalled, the connectivity
    problems reappear, sometimes without even a re-boot. The only
    way to get back the connection is to uninstall CHX-I. The old dial-up
    connection is deleted, so only the Local Area Connection shows
    under Network Connections as LAN or High-Speed Internet.

    Also, to start fresh with DSL, I did a complete re-install
    of Windows XP and fully updated it.

    I registered CHX-I with IDRCI, so install it with a life-time
    free key, not the trial version. I am running PG free & Spyware
    Terminator HIPS, but do not think they are involved.

    As a practical user, and not a computer hobbyist, it will be easy
    for you to get beyond my skill level quite quickly.

    Any thoughts on correcting my problem would be welcomed.

    Thanks again.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello FadeAway, Welcome to Wilders.

    From your info, this is possibly a DHCP or more likely an ARP problem (due to connection loss without re-boot).
    Did you check the logs for any blocked packets?

    You could try the Wan_start rules, a copy is posted here, these should be loaded/imported onto the NIC (not the IP),
    Remove any other rules for the test/check.

    We do need to verify this is a rules/config problem, and not a driver conflict. So any info from the logs would be helpful.
     
  4. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Thanks WSFuser & Stem.

    The CHX-I logs showed nothing that I had not seen before.
    They did show blocked packets on ports 67-68 from or to the
    router address (192....), don't remember which. But that was on start-up,
    and I had initial connectivity. The CHX-I Force Allow rule for
    DHCP offer traffic was in place and activated.

    If my memory serves correctly, IPConfig was showing a 169....
    address, which I know is incorrect.

    Do you suggest I try the WAN rules with v.2.8.2, or v.3.0?
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi FadeAway,
    The Wan_start rules should be OK for either version.

    Ports 67/68 are for DHCP, so this could be the problem.

    Try the Wan_start rules, but ensure you place them on the NIC.
     
  6. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Thank you Stem. Dinner time here now, so will try in a couple of hours.
    I will place the rules in the NIC green icon, not the IP address.

    Wish me luck!
     
  7. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Success !!!!

    A post by VC at the link provided by Stem seemed to indicate that
    the WAN_start rules would not work with v.2.8.2, so I installed
    v.3.0 and the WAN_start rules provided by WSFuser. Now I am going
    to have to read all those threads on version 3 at Wilders & SSC.

    I notice there is an ARP rule in the WAN rule set that is not
    in the workstation rule set.

    The DSL connection held through some surfing, and several reboots,
    both with the router on, and one reboot with the router turned
    off and then back on to change the IP address.

    I have checked only six properties boxes: TCP, UDP, and ICMP
    stateful, and logging for each. Should any others be checked?
    I seem to recall an old post by Stefan indicating that those
    options will in themselves take care of most fragmented packet issues.
    I have no need for payload filtering that I know of.

    Tracert works, so it appears the WAN rule allowing any ICMP is ok. Should
    any ICMP codes be denied? I think the router allows some ICMP to
    go through.

    I created a deny rule for trojan ports, imported my trojan
    ports list and that went ok.

    The CHX-I logs are blank, as expected, behind the router.

    Any suggestions anyone??

    A thousand thanks. I really hated to give up on CHX-I.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello FadeAway,

    My error with the possible compatibiltiy of rulesets. I have installed 2.8 to check (which, if I had taken time (if it had been avialable)) I would of known. So sorry for that.

    Good to hear you can now connect.

    Regards,
     
Loading...
Thread Status:
Not open for further replies.