converting LnS rules to CHX-I

Discussion in 'other firewalls' started by WSFuser, Oct 19, 2006.

Thread Status:
Not open for further replies.
  1. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    im considering using a packet filter (CHX-I just came to my mind first), but i would like to convert my current LnS ruleset.

    heres an example rule:

    http://img151.imageshack.us/img151/5324/sshot1pk7.jpg

    Could someone post an example rule from CHX-I and tell me what info goes where?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Here is a blank global rule showing some options.
     

    Attached Files:

    • rule.gif
      rule.gif
      File size:
      78.3 KB
      Views:
      395
  3. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    WSfuser,

    On your LnS rule, where you have the source port, you should define the destination port instead...
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    @Stem,

    ok, it looks simple enough. i think i could change all my rules.

    also, since chx is a packet filter, any ports i open will always be open unless i disable the rule correct?

    @VaMPiRiC_CRoW,

    if u notice, i posted a server rule. i already have a client rule where i have put the destination port.
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Your rule, for the server side, isn't this:

    Protocol: TCP
    Direction: Any
    Source IP: Any
    Source Port: 6340
    Destination IP: Any
    Destination Port: Any

    ?
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i just got the ruleset from this thread. i posted teh rule just to show what a rule in LnS looks like.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No,... the port will show open only if an application is listening on that port you open,........ otherwise the port will show as closed.
     
  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I don't agree with that.

    The rule for a server should be specified to allow the packet destination port.
    You should do this way on firewalls that also have Application Monitor, like Comodo PF, but with CHX you will need to set in a different way to have the port stealth when the program server is not running.

    You should something like this:
    http://img176.imageshack.us/img176/3783/p2prulenormallyau5.png

    But this way you will have the port closed instead of stealth, when you are not using the program server...

    If you want to have the port Stealth, take a lot at this: Stealth port when not used...

    You have to make a similar rule, like the IDENT rule, that use conditional, of the sample for CHX.
     
  9. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    it was time consuming, but i managed to recreate all the rules from my LnS ruleset.

    i have a few questions:

    *in LnS, some of the rules have the source IP as my own. how do i do this for chx?

    *is it ok if all the rules are just normal priority?

    *does rule order matter? can i keep my rules in a certain order?

    *do i need a "block all" rule like i would for LnS?
     
  10. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    You might actually have gone through WAY too much work. With look'n'stop, the spi isn't enabled and truly isn't its strongpoint, so it is usually used as a straight up packet filter with rules for everything. With CHX-I, you only need to turn on all of the SPI, have 2 rules, then you are good to go. Then you need to create rules only for things like games and p2p. Everything else will work be default. The simplicity is similar to that of a hardware firewall. If you need help setting it up, this thread takes you through it pretty well.

    Answering your questions, just enter in your source IP for the IP address in the destination field. As for priority, if you aren't doing anything complicated, then normal priority is fine until you find some rules overiding other rules. Then move the rule that is being overidden up to a higher level. Rule order does not matter, the priority is what matters. Block all isn't needed since it will be covered by the SPI if you enable as configured in the post I gave earlier (I recomend importing the basic rule set in that post, reading over the rules, then deleting the rules that you have converted from look'n'stop that aren't necessary. If you need help, just post back ).

    Cheers,

    Alphalutra1
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    wow...i rele did do way too much :ouch: :ouch: :ouch:

    thanks for the help Alphalutra1 :cool: chx-i is working great :thumb:
     
  12. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    LOL, I am glad you like it though. You probably learned a lot out of that experience, so it wasn't a complete waste of time. Enjoy the speed and protection of CHX-I

    Cheers,

    Alphalutra1
     
Thread Status:
Not open for further replies.