CHX-I v.3 rules...Stem.

Hello Stem, or other packet filters expert here. I started to play around and use CHX-I v.3 for 3 months. I created some rules and using some from the CHX threads here. I only enable my LAN file sharing rules when needed.
As I know Stem and some of the packet filters expert here are knowledgeable and help a lot of users here with firewall configuration, maybe you can help me if my rules is overlap, or need extra tightening.

 

Hello incursari,
You would need to post a copy/printout of your ruleset.

 

Hello Stem, alrite nice to see you here. How could i send you the .zip rulesets?

 

You could upload to Rapidshare, then either post the link on thread if you would like feedback from the forum, or you could PM the link to me.

 

Done. Check your PM.

 

Hello incursari,

The rules look OK, you have bound the DNS servers and made restrictions on the local ports in use.
The only way to tighten would be to restrict the remote ports in use, such as for HTTP/S etc. But this would depend on the software you use.

 

Thanks for the help.

Do i need conditional rules for this? If yes, how to do it effectively?
And 1 more things, could you provide me FTP rules (Active/Passive) samples as i am little bit confuse about this. Does FTP rules need conditional?

 

It does depend on how tight you want to be with the rules, and does depend on what software connects out to what ports etc.

You can add rules for collecting/sending mail, and bind these to your mail servers.(the remote ports used would depend on how the mail is sent/collected, POP3 / IMAP etc)
For basic HTTP/s (remote ports 80/443), these would need to be open on IP`s used, unless you are very restrictive in your surfing. Do remember, you can add blacklists (bad IP ranges) into CHX via the IP lists.
For FTP, you should try and keep to passive (no inbound connections). There is an option in the NIC properties (where you set SPI) for passive/active FTP, so this does mean for example, if you enable allow passive FTP, you only need to allow outbound to remote port 21 (all other ports needed would be allowed with that option enabled, but the ports only allowed while the remote port 21 was connect to)

The above rules would replace the open "udp_tcp no syn" rule you currently have in place, and you may need more rules than the above examples.

So it is really down to yourself on how tight a ruleset you want.

 

OK thanks for the info, I will play around with the outbound and do some testing. Anything I need help will come back again to this thread.

 

Also, another way to share the ruleset is to take a screenshot with all your rules on display, and a screenshot of the settings for your LAN card, and a screenshot of your logs if you are experiencing problems, then everyone can help

Cheers,

Alphalutra1

 

Alrite will post here after playing around with the outbounds.

 

Hello incursari,

Yes, it would be helpful, not only to yourself, as others can also make comment give advice (as there are members who know CHX as well, if not better than myself), but also for the members/users to see a (users) ruleset for CHX, and see the comments and suggestions made.
Of course if you are concerned about certain info, such as MAC address~ server/personal IP`s etc, then remove these from the screen_capture image.

 

OK here I come again. Stem, Alphalutra1 and others please to comments on my inbound/outbound rules if I miss anything there. I can’t post all the rules screen shots cause there are quite numbers of them, I post the link for the rule sets.

CHX rule sets

 

Hello incursari,

I have taken a quick look at your new ruleset. I see you are now filtering in both directions.

I will just make quick comment for now (to allow me time to check over your rules fully, and to give time for other feedback)
You have in place a number of outbound filter rules, to restrict the local/remote ports used, but then you have an outbound rule to allow "udp_tcp out `not syn`" for any IP/port. this, although it will not allow outbound connections (syn packets) it will allow all outbound UDP.

You do have a number of rules to block "spoofed" IP`s, I would suggest that you create an IP list for these (I can post info on how to do this later, if required), so then you would only require 1 rule (just for a clean up/easier to manage more than anything)

 

Sorry I can't do any commenting, but I don't have CHX-I installed (or windows for the matter) on this pc, so I am unable to view the rules in the .sfd format. If you could take a screenshot of your rules, then I could contribute to helping with your ruleset.

Cheers,

Alphalutra1

 

Hi Alphalutra1,

I was just thinking of what you post,... I will post pic of ruleset(as these are now for open viewing), just give me a few minutes............


I sorted rules into allow/deny

click image to enlarge

 

I had a cursory glance (I am writing a paper ), but I noticed that you misnamed two of your ICMP OUT rules, switching the 0 with the 8 and vice versa.

As Stem said, grouping the IPs together in a list would definitely simplify it a lot. For example, you can combine the DNS servers together in one list, the Spoofed addresses in one list, etc.

Also, for some of the ICMP's that you created rules to allow in, many of the rules are already covered due to the pseudo-SPI for the ICMP in your LAN card settings, so you can disable those rules and see what gets blocked in your logs to see if any aren't covered by the pseudo-SPI (I think all of them are covered, but if you ever want to all type 8 (normal echo), then you might have to force allow it, I am not sure).

In addition, I don't think that extra allow all rule is really necessary, because I think that all of your other outbound rules will cover everything.

I had an outbound setup going for a little while with CHX-I, you can see it in this post, but I do not know if it covers all the bases since I got rid of all the outbound rules after I found myself turning all of them off for gaming since it was too difficult to create rules for every single thing that the game tried to use (tens to hundreds of random ports).

Cheers,

Alphalutra1

 

So this rule "udp_tcp out `not syn`" not necessary? Or can i just remove this?

Oh yeah I notice that, already edit it.

Ok i will group it later on.

I don’t quite understand about this. You mean I just need to use one outbound rule “Allow (Deny all except)” for ICMP?

This "udp_tcp out `not syn`"? So what your suggestion?

 

Not really, more like you can get rid of all the Incoming allow filters for your ICMP's since they should all be covered by the pseudo-SPI for ICMP. The way it works is that once your pc sends a certain ICMP to a server, for a set period of time, it will allow the ICMP's that respond back to come in, but then they will be blocked.

Get rid of it. Everything should still work how you have set it up.

Cheers,

Alphalutra1

 

Just to confirm:

For example, with ICMP. A default rule can be put in place, this could be "allow all ICMP inbound (or outbound)" you do not need both directions filtered, for the rule to work correctly, you need to ensure that the ICMP stateful inspection is enabled.

You can make a simple check on this yourself.

Remove all the allow inbound ICMP rules you have in place, ensure you have a rule that will allow outbound pings, then ping your router. The replies will be allowed to the outbound.

 

OK I removed all filters for inbound ICMP. I can’t ping my router. After I just create only one filter for ICMP “In: **ICMP (Stateful ON)” then I can ping my router or internet. Is this the right directions? I will post the logs later on if anything get block.

So this my new rule sets.

 

This will be due to the other "allow inbound" rules. Do realise that when you place a rule to allow, then all else is blocked (as the rules states "Allow(deny all except)" and can/does cause problems.

It is now time for use to go through all the rules, and remove un-needed, and set any others rules that may be required for your setup.

First, we need to decide on the direction of filtering. It is easier/ with less problems to filter in one direction. Myself, I filter on outbound, with just some inbound blocking rules. (with default rules (such as wan_start)), these filter inbound with allow all out)

I will also need some more info on your current setup. From your rules I see you are behind a router.
As you have a deny "Landattack" rule in place, are you on a fixed IP? (a need, or not for a DHCP rule)

Rules for netBios, which you mentioned you disable/enable when needed, can be changed and bound to your LAN(and/or specific hardware)

So basically, for now, I just need to know
1. Which direction you want to filter
2. Are you on a fixed IP

We can then work through the changes step by step.

 

In Alphalutra's link I find the first rule about Loopback. I have not found any different when I add it or delet it. Is it necessary?
This is my current rule:

 

@woobook,

I have found that CHX does not intercept loopback(on my setups/hardware). Rules to intercept this (127.0.0.0/255.0.0.0) do not,in fact work. This is for V2.8 or V3.0

 

Stem, yes i am behind the router.
1. I want to filter both directions
2. Yes all my computer on a fix IP.