CHX-I questions... again :)

Discussion in 'other firewalls' started by glentrino2duo, Feb 15, 2007.

Thread Status:
Not open for further replies.
  1. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    While we are talking about CHX-I, I was wondering if anyone has the installer for version 2.8.*, since it was even more solid, and I don't really need any of the new features :p

    In regards to the scan, I think something has to be up since all ports should register as filtered by nmap with the default ruleset, and CHX-I should prevent any connections coming from a remote pc so it doesn't matter if anything is listening or not. But, port 21 is used for a ftp server, so maybe you installed one o_O

    Cheers,

    Alphalutra1
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I did note that "glentium" activated the FTP passive/active rules within the NIC properties. But when I checked on these settings there was no open port. Thats why I asked if there was anything listening on that port, as that rule setting may open the port?.
    glentium, you could try disabling the FTP rules, just to check.
     
  3. oopsminded

    oopsminded Registered Member

    Joined:
    Apr 18, 2006
    Posts:
    21
    Please send me a PM with your email address or a suggestion for how to send you the installers. I have CHX.Packet.Filter.v2.8.1.msi and CHX.Security.Toolkit.v2.8.1.msi, both free for non-commercial personal use.
     
  4. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    I get similar results in both LAN and wireless (similar setup, only difference is that I allowed access point in wireless), with "Allow FTP" checked and unchecked. I do not have an ftp server installed and, I think, even if I have I should still allow it in CHX-I before being accessed.
    I was thinking it could be nmap bug or something cause it only appears with -sT (TCP connect) switch. but with -sV (Service Detection) switch which is suppose to tell me what type of ftp server it is (it should be able to tell me if it is open), it is showed as filtered. but then I'm still not sure so I'm still checking what settings or apps I have that is opening port 21...

    @Alphalutra1: I sent you a PM with link to CHX-I 2.8.2 msi installer...
     
  5. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    UPDATE:
    I installed on another networked machine, no Internet, and I get the same result.

    with standard scan and most options, nmap say all ports are filtered, open|filtered and close|filtered. but with -sT switch (nmap -sT ip.ip.ip.ip) port 21 still shows as open.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Even with that option, my port 21 showed as closed.

    Add a rule to block inbound SYN (you could just block that port, or leave as any), you can edit the rule later if you need to allow inbound for torrent.
     
  7. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Stem, what nmap version are you using? I got 4.20. I made a rule to block inbound SYN, even with highest priority level, any port or port 21 only. but "nmap -sT ip.ip.ip.ip" still shows port 21/tcp as open...

    anyone still have a copy of original wan_start.zip from irdci? can I get a copy please? thanks!
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am using nmap 4.10

    A copy of wan_start on this post
     
  9. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    still the same, -sT switches shows port 21/tcp as open... i'll try it with nmap 4.10...
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello glentium,

    I have found some filter sets that I downloaded (attached) that you may want to check out. There is one for "Linksys LAN" that you could alter (if needed) for your own LAN, or you can simply check them out. (These are not my own rulesets, as I have always made restrictive rules for outbound which have always worked well for me.)

    I cannot remember where I got these rule/filtersets from (maybe "Alphalutra1" or "VaMPiRiC_CRoW" will recognize?)
     

    Attached Files:

  11. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    UPDATE:
    everything is okay now. all ports are filtered (stealthed). why it worked? I don't know. I didn't touch the original rules from wan_start, but modified my rules for Broadcast and DNS but ended up with the same setup as before and when I ran nmap again, all ports are filtered. why wan_start didn't work for me out of the box, I really don't know. but it's working now, so bring out the beers! :)

    edit: Stem, I will be interested in checking out the filter sets you mention... where can I get it?
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello glentium,

    It may be related to the problems I had with lack at "stealth" I had on my setup(difficult to know for sure) maybe a problem with import of rules/filters?, but I certainly dont think it is a problem with CHX ability.

    The filtersets are attached (as ZIP) to my last post. Have a look, any question, I will try to answer.
    I have gone through the help file a number of times, but this is limited. We can work through any needed rules, and learn more together.
     
  13. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Thank so much, Stem. Will try those filters...
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The filters I posted, as example for "Linksys LAN", they are based on the LAN being 192.168.1.0/24 (192.168.1.0 - 192.168.1.255) So if you have LAN as 10.0.0.0, then you would need to alter as needed. You can just look and see what you think. It does give some insight for the rules for "LAN" (and for tighter rules)
     
  15. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Stem,

    I never saw that filters...
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi VaMPiRiC_CRoW,

    No problem, I just thought you may of seen them, or downloaded them at some point. The only ref I have is that I downloaded them on 04/11/2005.
    Looking at the filters they look (and work) OK.
    If you think they need adjustment, please say.

    I am just trying to get together possible filters/rulesets.

    Maybe late, maybe not,.. but lets get some filters/rulesets together.
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Stem,

    I installed CHX again to see these rules. Unfortunately doesn't have filters for Belkin routers... :)
    It have some interesting filters to restrict even more traffic on the LAN, and maybe in conjugation, or not, with the WAN_start filters will offer better protection in some routers...

    In all the filters, I can find the filter "** Deny TCP", and if I understand correctly, it allow allow all the TCP traffic between 1024 and 49999. This is not a good think because our system will be opened without our permission...
    And some others allowing some servers...
     
    Last edited: Feb 20, 2007
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    VaMPiRiC_CRoW,

    I have to go back to work now, but I will post info on the rules (in the rulesets).
    I think you may of mixed up local and remote ports, but I will need to check
    (the IP (server) rules you mention (I need to check) are for restictions on reserved IP`s (out of bound LAN IP`s))
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    VaMPiRiC_CRoW,

    I have been checking. Due to the mixture of Allow/Deny rules,.. basically, traffic is allowed to local ports 1024-4999 under SPI when an outbound to remote ports 80/443.
    From the manual
    I have made online scans to confirm, and all O.K.
     
  20. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Stem,

    you are right ;)
    I will uninstall it again...

    Regards
     
  21. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    @Stem, our IP is within 10.0.0.0. On those rules, I was thinking of changing all IP ranges into masked IP. But I am not sure if I understand IP mask clearly. For example, if I want every IP within 10.44.0.0, can I enter 10.44.0.0 / 255.255.0.0?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi glentium,

    10.44.0.0 / 255.255.0.0 will include all IP`s between 10.44.0.0 to 10.44.255.255
     
  23. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Thanks, I understand it now. That is what I entered then post here to make sure.

    anyways, I tried the LinkSys filters but didn't work out for me outright. First, I disabled all my filters then imported the LinkSys filters. I get no connection in my network and I had to allow incoming ARP which I believe is necessary for networks. (o_O) then it work. but nmap shows ports 135,139, 445 and 1433 (SQL) as open and the rest as closed. I understand that 139 and 445 are necessary for File Sharing, which is okay for Internal networks. I have SQL Server 2000 installed which is why 1433 shows as open, but I don't understand why 135 is suppose to be open with that filter set?
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The LAN rules posted (Linksys) are to allow all LAN comms. Port 135 would need a rule if you want to block it from LAN access.
     
  25. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Thanks for clearing that up, Stem.
    Regarding the Spoofed*/Deny and "Deny Trojans" filters (LinkSys) in there, does the "UDP&TCP_NO_SYN (Stateful ON)" (wan_start) covers them all?

    a few more questions:
    what port or port ranges does the host computer use to communicate to router broadcast and DNS servers?

    Broadcast

    Host ------> outgoing port to -------> Broacast
    (ip:137,13:cool: <-------------------------------- ip:137,138

    DNS

    Host ------> outgoing port to -------> DNS
    (ip:8:cool: <-------------------------------- ip:88

    The reason I ask is because I am thinking of adding a Condition to my incoming broadcast and DNS filters. Does it make sense to add it or is it necessary? Does SPI takes care of it?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.