# CHX-I Filters, Help Needed!

Discussion in 'other firewalls' started by MikeNAS, Oct 4, 2006.

Not open for further replies.
1. ### MikeNASRegistered Member

Joined:
Sep 28, 2006
Posts:
697
Location:
FiNLAND
Hello!

I just started to use CHX Packet Filter. Because I'm new with that program I need some help. Can someone give me a advice or a link to make best/securest/tightest filter settings. Do I need different settings in local (usual wireless) network and public (again usual wireless) networks? Wireless/Wired, same settings work in both?

Thanks for the help!

-MikeNAS

2. ### rdsuRegistered Member

Joined:
Jun 28, 2003
Posts:
4,532
Try this: CHX-I Topics on Wilders

I can't help you more right now (working), but maybe at night...
Here is 9h37 AM

Last edited: Oct 4, 2006
3. ### MikeNASRegistered Member

Joined:
Sep 28, 2006
Posts:
697
Location:
FiNLAND
When I post my message it's early morning in Finland. BTW link doesn't work...

Joined:
Jun 28, 2003
Posts:
4,532
Try now...

5. ### MikeNASRegistered Member

Joined:
Sep 28, 2006
Posts:
697
Location:
FiNLAND
Sorry - no matches. Please try some different terms.

Are you using CHX in search key word? I try it my self too and realize that it's too short. CHX-I key word works fine.

6. ### rdsuRegistered Member

Joined:
Jun 28, 2003
Posts:
4,532
I change the URL again...
But you can search for CHX-I and you will find some topics to help you...

7. ### Alphalutra1Registered Member

Joined:
Dec 17, 2005
Posts:
1,160
Location:
127.0.0.0/255.0.0.0
Here is the search link for you :

If you have installed version three, then:

2) Open up the CHX-I Management Console which should be located on your desktop

3) Right click on your Network Interface Card (it's a green box like looking thing located on the left under Packet filters)

4) Click "Properties"

5) For a bare minimum, put checks in "Enable TCP Stateful Inspection", "Enable TCP Stateful Logging", "Enable UDP Stateful Inspection", "Enable UDP Stateful Logging", "Enable ICMP Stateful Inspection", and "Enable ICMP Stateful Logging". If you want, also put a check in "Deny all incoming fragmented packets" and "Deny TCP Packets containing CWR, ECE Flags". (see picture for more options that I use)

6) Click "Okay"

7) Right click your Network Interface Card again.

Click "Import filters from file"

9) Locate the folder that you extracted previously, and select "workstation.sfd"

10) You are done

If you need any help with a special situation your computer is in (like filesharing, p2p, behind router, want to be able to be pinged, etc.), don't hesitate to ask.

Also, since CHX-I is not an app firewall, it won't filter apps that access the internet. However, you can control ports, ip addresses, etc., so if you want to restrict outbound, just ask and I will help you there as well.

Also, here is a nice picture of the lan interface

Cheers,

Alphalutra1

File size:
13.6 KB
Views:
1,286
8. ### MikeNASRegistered Member

Joined:
Sep 28, 2006
Posts:
697
Location:
FiNLAND
damn... Thanks for the help! Sadly I have to go school now. I test those things on evening and inform/ask if I have something on my mind.

9. ### dja2kRegistered Member

Joined:
Feb 15, 2005
Posts:
2,093
Location:
South Texas, USA
Off topic here (hope no one minds), but are these filters better than using look'n'stop's TCP Stateful Packet Inspection?

dja2k

10. ### rdsuRegistered Member

Joined:
Jun 28, 2003
Posts:
4,532
I don't know if LnS also have Stateful Packet Inspection for UDP and ICMP, and at least with this sample and configuration for CHX you have them...

11. ### Alphalutra1Registered Member

Joined:
Dec 17, 2005
Posts:
1,160
Location:
127.0.0.0/255.0.0.0
Yes, the SPI is a ton better in CHX-I. Look'n'stop can only handle ---edit 256 not 64 --- connections for the TCP SPI, and it falters if there are any more connections. Also, it doesn't have the pseudo-SPI for UDP and ICMP.

Alphalutra1

Last edited: Oct 5, 2006
12. ### dukebluedevilRegistered Member

Joined:
Sep 14, 2002
Posts:
177

Actually LookNStop TCP SPI handles now 256 connections. They have slowly increased it through the years I have noticed. Regardless though there is still a limit.

CHX-I is an amazing packet filter. I wish more firewalls out there would try to emulate them. Instead so many seem to be busy on non-packet filtering things.

13. ### MikeNASRegistered Member

Joined:
Sep 28, 2006
Posts:
697
Location:
FiNLAND
I have now make all Alphalutra1's settings, included those in that picture. What else I should do? Or is this enough now? ATM I don't use p2p or any file sharing programs. Just surfing on the internet (firefox), playing poker (partypoker) and chess (icc), chatting with msn (miranda im) and irc (putty - linux box - irssi). Haven't tested that all those programs work now, but I do it asap. I thought that there shouldn't be any problems. BTW How I can test my firewall security, any good website testers?

[offtopic]

I also like Alphalutra1's setup so much that I want to try it. Before that I want to ask couple of questions.

1. How you setup SSM?! My wife (I just bought him own laptop) still uses sometimes my computer and she hates prompts.

2. Are you using some program to setup Host File or simply replace original one?

3. Any special settings to Antivir?

4. Are these only security programs that you use?

[/offtopic]

14. ### Alphalutra1Registered Member

Joined:
Dec 17, 2005
Posts:
1,160
Location:
127.0.0.0/255.0.0.0
You are good in regards to the settings of the firewall if your internet is working and you followed my rules. You can always test it at www.grc.com and go to the shields up! test. Make sure your pc is in the DMZ though if you are behind a router.

In regards to SSM, if you keep it in learning mode for a while, and survive through the initial popups (not many if you have used learning mode), then I receive no popups at all since I disconnect the user interface which blocks anything unknown without any popups. So if it is your pc, and you correctly set it up, then your wife shouldn't see any popups. Search for posts by herbalist who is very good with SSM and also provides excellent instruction.

I am simply replacing my HOST file with the one from here (there are instructions in how to do this included with the host file download)

In terms of antivir, I have tweaked the settings to full blast (max heuristic, scan all files, etc.) and it still runs very light.

As to other security, this is pretty much it, except for a few scanners which I rarely run (like ewido, a-squared, spybot search and destroy, and spyware blaster for immunization).

\end off topic

Please reply back if you need any more help with CHX-I (like if you see anything repeatedly occuring in your log for example)

Alphalutra1

15. ### tongnepuRegistered Member

Joined:
Oct 14, 2006
Posts:
2
Hi there,

My name is Tong, i'm interested in using CHX for my bridge connections on my W2K3 Server. Here is the detail of my w2k3 box :

LAN CARD 1 : 10.5.9.11/255.255.255.0
LAN CARD 2 : 10.5.9.111/255.255.255.0

From those 2 LAN CARDS i've managed to create a bridge connections with the ip manually configured as :

Bridge Connections : 10.5.9.1

I use LAN CARD 1 as a connection to accounting department, meanwhile LAN CARD 2 as a seperate connection to marketing department. Both of them are on seperate switches. So, i appreciate if someone can show me the light of how to allow only certain pc's on marketing department to be able to connect to accounting dept. FYI, i activate Active directory on W2k3 server.

TIA,

Tong

16. ### StemFirewall Expert

Joined:
Oct 5, 2005
Posts:
4,948
Location:
UK
Hi Tong, Welcome to Wilders.
I have not made such a setup using CHX. But I would suggest to try:-
Make global rules to allow comms between certain Mac addresses (marketing dept mac (list) address -> accounting mac (list) address),~ (you can always make "lists" and use these in the rules).

File size:
73.2 KB
Views:
14
17. ### tongnepuRegistered Member

Joined:
Oct 14, 2006
Posts:
2
Hi Stem,

Thanks for your respond appreciate that. I'm going to try it very soon. Btw, what will be the differences if i create a new filter right from the LAN CARD interface instead of GLOBAL interface ?

For example, If i create a rule on LAN CARD interface 2 (that connect directly to marketing dept. switch) to deny ip's from certain computers. Would that work better rather than create a rule in Global interface ?

Thanks

Tong

18. ### StemFirewall Expert

Joined:
Oct 5, 2005
Posts:
4,948
Location:
UK
Yes, you could try it that way,.. I was just thinking of keeping all the rules together.

If all the PCs are on fixed IP, then yes, you can create rules using the IPs.

I do not know how many PC`s you have on each switch,.. so I just thought that using named lists of Mac addresses, and placing these all together within a global rules system may of been an easier approach.
But it sounds like you now know how to set this up, so do what you think will work best for you.
Good luck,.. and let me know how you go on with this

19. ### pcacaRegistered Member

Joined:
Sep 11, 2005
Posts:
62
It's time to renew the duscussion in this thread, because I have problems configuring CHX-I 3.0. I used Jetico 2.0 Beta but it isn't working on my new notebook at all, so I decided to try CHX-I in the meantime, while new beta of Jetico is cooked. I didn't have problems with Jetico and I don't have any problems understanding firewalls because I am Computer Science student.

I am connected to Wireless Router, my notebook has fixed IP (I've disabled DHCP rule in the ruleset). I've imported rules posted by Alphalutra1, enabled statefull inspection and confugerd everything as described here but I lost my internet connection and I couldn't ping the router. In order to be able to ping the router I must create Allow Outgoing ARP rule in addition to existing Allow Incoming ARP and Allow Outgoing ICMP in addition to existing Allow Incomming ICMP. But again I was not able to access the Internet although I could ping the router.

Also I added two rules to block NetBIOS and UPnP SSDP, but these rules doesn't change anything if I disable or enable them.

20. ### oopsmindedRegistered Member

Joined:
Apr 18, 2006
Posts:
21
@ pcaca - I used CHX-I for a while, I have something you can try:

Alphautra says:

If I did this, I wouldn't be able to access the internet either. Instead, I was right-clicking "my ip" - which was branching from the NIC icon - and importing there the .sfd file. Hope it helps.

21. ### pcacaRegistered Member

Joined:
Sep 11, 2005
Posts:
62
Thank for your suggestion it works, when I imported the rules in IP Address instead of Wireless Network Connection I got Internet access.

Now I am little confused, what is the difference when the rules are in Wireless Network Connection and IP Address. Does this mean that packet are filtered on different layers?

For example I want to explicitly block NetBIOS and UPnP without logging, so I create new block rule with "Disable log" checked. If I put the rules in IP Address table the packets are not blocked by the rules and they got logged in the log because I can't change the destination IP when I am in IP address table, it's always 192.168.0.231 (my static IP). But NetBIOS and UPnP SSDP are sent at broadcast IP addresses 192.168.0.255 and 239.255.255.250 and they are not blocked by the rules in IP Address table where destination IP is 192.168.0.231. So I must put the rules to block the broadcast packets in Wireless Network Connection table.

Also, why all the rules that Alphalutra1 has posted, are set to allow incoming packets? In all statefull firewalls I've used before CHX-I I have to allow only outbound connection and inbound is handeled by statefull inspection. Does CHX-I work different from other statefull firewalls?

22. ### pcacaRegistered Member

Joined:
Sep 11, 2005
Posts:
62
Hi, can somebody please answer my questions in previous post. I don't have problems with internet access but my log is getting full with blocked packets. I explicitly blocked NetBIOS and UPnP and it reduced the number of logged packets but log is still full of blocked packets on different ports.

23. ### StemFirewall Expert

Joined:
Oct 5, 2005
Posts:
4,948
Location:
UK
Any rule placed onto an IP, can only be IP rules, to from that IP. Rules placed onto the NIC card, can be any rule, including "network layer" rules, (you would need to place all rules here if you do not use a fixed IP)

Simply place all rules onto the NIC

This can be easier for most users, especially if they want to allow inbound connections. (It can be a problem if you attempt to filter in both directions (and can easily cause new users unexpected results))