Discussion in 'other firewalls' started by rdsu, Oct 14, 2005.
What is the Firewall that introduce the lesser delay on the connections that you know?
Just one word, CHX, nothing comes close, you will need to add some sort of outboound protection but CHX can also block outbound ports as well.
Does CHX lack outbound capabilities? Please expand on this.
I would have to agree with Arup and say CHX also. I have tried them all, and while some do seem to slow things down, CHX gives you the feeling that there's nothing there at all. This is on cable also. It is ultra lite, and IMO the best packet filter around.
I suggest you try it and see for yourself..
CHX is not app based, however, it lets you create Trojan blocking outbound filters and you can also block bad IP's with it by incorporating Snort and Block List.
CHX-I is a packet filter. Not an applicating filter.... sigh go read the information on the website.
You can direct yourself to http://www.fluxgfx.com/ssc/forumdisplay.php?f=5 there's alot of information on it.
Let us make this simple . If you pay attention to Arup , GOD is the only thing that comes close to CHX . CHX is NOT a firewall ! Period . It can help if you add much to it to make up a firewall but , AGAIN , CHX is NOT a firewall . So take the info here with a grain of salt . If you are looking for an actual FAST firewall , you may want to throw out a few names and see which is considered the fastest of ACTUAL firewalls by some of the " experts " here . Jsut wanted to clear things up a bit as there have been replies but , NO honest answer .
May I suggest that one you may want to mention would be LnS . Besides that , it can also depend on your individual setup . Tiny is very fast for me but , not for some others as all systems are different . Outpost has NEVER slowed me down but , many others have complained that it does . Just look at ACTUAL firewalls and go from there .
And good luck .
Look'n'Stop is very fast, also uses very little memory.
Wow! CHX not a firewall, thats news for me, IDRCI and Stefan.
And by the way, Arup is a Hindu pagan idol worshipper, so it is GODS that can come close to CHX.
The traditional "firewall" that we all know and use isn't the only way to go. In fact, it might not even be the best way. You can also run something like CHX for your inbound firewall and then use AntiHook to cover outbound. AH will alert you to *anything* odd executing or going on *before* it even gets to the point of dialing outbound, so in effect, the CHX/AH combo could be considered an even better solution than your traditional firewall.
And then there are also those who consider outbound control a waste of time anyway, as most traditional "firewalls" can be easily defeated, or so some say.
Just another point of view...
This also makes me wonder the loose description of firewalls today, in that sense, Kerio 2x cant be considered a firewall as well, maybe the term for ZAP, Outpost etc. should be security suites rather than firewall.
I would like to comment about CHX-I! I agree with some of you above, that CHX-I is a packet filter, not an application filter. For the typical 'home' user, an application based filtering firewall is more suited. (LNS, ZAP, ect..) But, CHX-I is a powerful SPI packet filter that has a very good reputation as being such! It could be argued that just because CHX-I doesn't have an app filter, it isn't a true firewall! I for one use 'Smoothwall' it uses iptables, which is also a true stateful firewall, based on linux. It is my foremost protection from the 'red' side of things. On my WinXP boxes, I use ZAP with app control ONLY ( no need for the inet filter) Does this mean that my system(s) are not implimenting a proper firewall configuration? I would have to say no! It all depends on preference. If I had only a client/client configuration, I would use CHX and ZAP together! Only because I want to control bandwidth, that is the only reason for using an app filter in tandem with CHX-I. Not concerned with leak tests, or what not. I figure if something gets by Clam AV, Avast and f-prot (server side) then my system is fair game! ........ CHX-I is very good and I recommend it to power users or anyone implimenting a home network...
An external firewall (be it Linux server or NAT router) should have the lowest impact of all. However for most situations, speed should take second place to security and the ability to control network access on a per-application basis should be a key requirement for the majority.
If speed of browsing and throughput for download isn't a priority, why bother getting cable, ADSL, satellite etc. and yearn for more mbps when there is always the good old slow and steady dial up. Security is important, but not at the cost of speed, system response and data flow. There are many other ways to secure and harden a system with negative speed impact.
I have been doing a lot of research as to which is the fastest firewall. Well between CHX and Look'n Stop, Look'n Stop wins handsdown. It is the fastest firewall available and can filter at amazing speeds. (BTW I am not a Look'n Stop Salesman !!! )
For browsing web pages, there is little point of having a high-speed (>512Kbps) link since:
most web pages are small (<200KB) so TCP would not have the chance to reach full line speed before the download was complete (TCP starts connections slowly and speeds up as long as responses are received);
most web servers have limits to how quickly they can serve pages up;
a good part of the loading time is due to having to establish multiple connections to download page elements (aggressive ad-filtering and HTTP-pipelining can reduce this).
Of course, an "always-on" link has many other advantages over dialup like cost (no need to pay for call charges in places where local calls are not free) and convenience (no waiting for a modem to connect, can still use the phone). However unless you are using high-bandwidth applications like video-streaming or file-sharing there is little benefit in upgrading to a faster link.
Finally, if you value speed over security, then the first thing to do is ditch your anti-virus software. It will, in most cases, have a far greater impact on general system performance than any firewall.
In some cases, there are web pages with multiple images and the size go well over 4mb, with my Opera set to 128 connections, it flies through them on my system. About AV, it slows down but then thats a price I am willing to pay as compared to the combined effects ot Firewall+AV slowdowns.
can you tell me how to incorporate CHX with Snort.
and where to find other IP lists.
Can you tell me where you researched this 'finding' ? Is this by personal research or having more than one client and doing p2p and transfer tests?
Such pages are very much the exception in my experience - and when I have encountered them, the limitation has been the server bandwidth.
Combined Firewall+AV overheads should only be a problem if you have not taken the time to configure your AV to exclude scanning of firewall log files. This can make a big difference.
By combined firewall+AV, I meant the system response, nothing to do with browsing. My current AV doesn't slow down my browsing in any way.
Thanks for all your suggestion
CHX-I can be great for inbound protection, but you cannot install and forget it... When I had some available time, I will try at the same...
Look 'n' Stop is an excellent Firewall, that use very low resources, but isn't free...
You are correct. CHX-I is not a firewall.
It is a packet filter(hence its name) - pretty much along the line of Netfilter/IPtables.
Much obliged for your efforts to clear things up.
Separate names with a comma.