CHX-I questions... again :)

Discussion in 'other firewalls' started by glentrino2duo, Feb 15, 2007.

Thread Status:
Not open for further replies.
  1. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    I decided to reinstall CHX v3 and have a few questions about it. I'm using the wan_start (here is a copy: http://www.filefactory.com/file/9d7960/) filters I downloaded from the forums quite some time ago. I also enabled all SPI. with that I don't have any problems at all with browsing and even using Free Download Manager, even JAP and Tor. problem is even with uTorrent, without using uPnP, there is no problem connecting and downloading even if I haven't open up it's port in CHX-I. Are the rules from wan_start to permissive? any problem with my filter rules? any assistance is much appreciated... thanks in advance! :)
     

    Attached Files:

  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi glentium,
    The rules are not what I would use myself. But they will block inbound connections.

    With Utorrent, you will be downloading with the outbound (TCP) connections you make, plus, the rules will allow ALL inbound UDP (on any port) and Utorrent will download/upload via UDP
     
    Last edited: Feb 15, 2007
  3. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Thanks for that info Stem. Is that a bad thing? Does that mean that with that ruleset, it's basically just a little tighter than Windows Firewall?

    If you don't mind, would you please help me in making my ruleset more restrictive?
     
    Last edited: Feb 15, 2007
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    glentium,

    That rules are from the CHX author, and is to start using CHX, after that every user have to change for their own needs...

    If you want that uTorrent works correctly, with that rules, you must have to create a incoming filter to allow traffic to specified port on uTorrent.

    You can check the Network Status on uTorrent that indicates if everything is right with the connection.
    http://www.utorrent.com/faq.php#What_do_the_Network_Status_lights_mean.3F

    Regards
     
  5. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello glentium,

    I dont place rules as shown in the ruleset.
    I would normally place rules to allow outbound. For inbound TCP, I place a rule to block inbound TCP SYN. To allow a port, I edit the rule, so it is: Block inbound SYN ~local port(to allow the inbound) NOT.
     
  7. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    so the TCP&UDP_NO_SYN is the one allowing all connection?
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, that rule will block inbound TCP connections (SYN packets), but will allow all inbound UDP.

    If you are connected directly to the internet, Run a shieldsup scan.
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Glentium, utorrent will work since you are using it through a proxy. Don't use it through a proxy and it won't work. Also, don't use torrents in tor since it really screws over the network and makes it much slower, so it is a really inconsiderate thing to do. CHX-I rules are perfectly fine, you just don't understand why it is working. The TCP connection is occuring at the tor server, not at your computer, so CHX-I can't block it since there is nothing to block.

    Cheers,

    Alphalutra1
     
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    That rule is to allow only the traffic TCP/UDP that are not SYN, and is to use with the TCP and UDP Stateful Inspection enable.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Only TCP can be "SYN".

    But yes, I stand corrected, the SPI will block unsolicited inbound UDP
     
    Last edited: Feb 15, 2007
  12. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    @Alphalutra: Thanks. I am not using Tor for actual peer-to-peer connections. I setup Tor in uTorrent as specified in Tor wiki itself (here: http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#head-0d047b05e9b93c23cec9198550816a114012bde0), so I don't think it would be a problem as to Tor network slowdowns. Also, I tried uTorrent on a fresh install of WXP, without Tor, and it still worked right away as mention in the first post. But you said it right, I don't understand it at first why it's working right away. But it seems to me now that the ruleset is not that bad since it blocking TCP SYN and other unsolicited connections. Although, I really want to learn how to make it more restrictive since it's I think it's quite permissive at the moment...

    ------
    @Stem: "For inbound TCP, I place a rule to block inbound TCP SYN. To allow a port, I edit the rule, so it is: Block inbound SYN ~local port(to allow the inbound) NOT."
    ------
    I'll expiriment more on this to see.. thanks!

    -------
    @Stem: "If you are connected directly to the internet, Run a shieldsup scan."
    -------
    I'm actually connecting through a proxy in our network which serves as the firewall (linux) so most online scans I ran detect that firewalls port.. Is there an offline port scanner so I can check my stealth settings more accurately? I use a similar CHX-I setup in my other desktop connected to our network, no internet, but I had to add rules to allow DNS and Broadcast to make it work..

    *****
    Another question, why do I see blocked connections in CHX-I log where neither incoming or outgoing IP is my computer?

    I want to thank you all guys for assisting me here. I'm learning so much from all of you.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello glentium,
    Scans can be made over the LAN using nmap. I ran a scan with CHX installed using the above ruleset, and the result where closed and open ports. The open ports where the windows services I had re-enabled for the scan.

    As for the blocked connections, this is probably broadcasts or packets directed at other nodes. Have you an example?

    I am going to re-install CHX, and have a long look today, (as it as been a while, so I need to refresh my memory on this packet filter).
     
  14. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    When I used CHX-I, with that samples, my system was completly stealth...
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    VaMPiRiC_CRoW,
    I will re-install and make an online scan and post the result.

    update,
    Have set up, using above ruleset, with SPI enabled (on DMZ pc).

    Shieldsup: Common ports scan
     

    Attached Files:

    Last edited: Feb 16, 2007
  16. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Stem,

    You must doing something wrong...
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    VaMPiRiC_CRoW,

    Such as?

    I have enabled all SPI, and simply loaded the rule file. Results of scan the same on XP and W2K.

    Edit
    On checking, I am seeing that my ISP is filtering ports 139 and 445.
    Port 1720 is comming through, so that is the only port showing as "Stealth" by CHX on this online scan.
     
    Last edited: Feb 16, 2007
  18. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I think something is wrong with chx-i :gack: I am going to install it and report back to my findings...

    UPDATE
    This one version isn't installing and refuses to saying it is being interrupted (too bad my only other security app SSM is disabled , I will try installing an older version of v3), nevermind, that doesn't work. What the heck is going on with my computer that won't let me install it o_O


    Cheers,

    Alphalutra1
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Alphalutra1,

    This to me(or anyone) is not a problem using CHX. Simply adding a rule to block inbound TCP SYN to that ruleset gives full "Stealth" and aliviates this. I have included such a rule, (but wanted to see (after running for a good time) if this may cause problems) but all OK.
     
  20. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Okay Stem, it was a misunderstanding. I thought you already had just the default ruleset, my bad.

    As to glentium, here is what the documentation you pointed me out to says about using bittorent on tor
    . So please don't do it since it really makes tor slow for other people. Also, if you have something illegal to do, do it in a safer means then bittorrenting (newsgroups), or don't do it at all.

    Cheers,

    Alphalutra1
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The default ruleset (as posted) does give the above scan results(on this setup),.. I know too little of CHX to comment more as yet.
     
  22. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    With the not syn flag option checked?
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Stem

    If you using a Router, It’s a good chance that it’s the reason for the stealthed ports (139, 445).

    I quickly glanced at the wan_start ruleset and see that there is oddly a rule named ‘***Incoming ARP’ in there, I find it difficult to believe this is the original and untouched ruleset file that had been received from the official website… Anyways whoever made this here rule clearly doesn’t understand the workings of CHX-I packet-filter…. Delete this rule and re-run the scans (if you made changes, start fresh).
     
  25. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    No, you need the rule or else your ethernet connection won't work (ARP filtering was added to CHX-I v 3) Allowing all ARP gives you the same protection as in v2, except that some malicious types are automatically detected(in the interface rules portion along with enabling/disabling SPI, etc)

    Cheers,

    Alphalutra1
     
Loading...
Similar Threads
  1. ttomm1946
    Replies:
    0
    Views:
    530
Thread Status:
Not open for further replies.