I Have Installed CHX-I Now I Need Rules

after confering with Stem, i decided to take the plunge and attempt to manage a rules based FW. i have been wanting to do so for awhile and choose CHX-I based on Stems recommendation and other research i had done.

i installed it last night, found and installed the wan_start ruleset, checked it against Shields-Up!....inbound is stealthed. i have also already set SPI for TCP, UDP and psuedo ICMP. i have completely read three threads in this forum relating to CHX-I set-up, the main difference i saw between my set-up and those i was reading about is i am not on a LAN. i have cable modem, single computer.

my security set-up at this moment is Prevx1 with Network Protection (outbound only) enabled. when i used another firewall i had this outbound protection disabled. Prosecurity 1.30 is my HIPS of choice and it provides application filtering and network access. however Prosecurity does assign Trusted status to any Microsoft signed diddy, which includes network access. i raised a thread inquiring if that is in fact a secure approach, the concensus i got was it is, but i am unconvinced and am in the process of going through those files(?) and removing them from trusted. i run Opera 9.2 90+% of the time and always sandboxed, and on occassion IE7, also sandboxed.

i use the internet primarily for surfing and finding files to download, infrequent walks on the darkside, i have recently discovered torrents which Opera handles internally. i have Emule & Livewire P2P apps.

what i would like to accomplish with CHX-I ver 3 is to create rules that tightly control what is allowed to connect outbound while maintaing functionality, and further expand the wan_start ruleset for better security. i read where Stem feels that while adequate these rules are somewhat loose. i admittedly don't know enough to know what is loose about them, while not looking to become a guru, i am more than willing to learn what i need to know to get the job done.

Thanks


Mike

 

Based on your request for a packet filter, using PS as application network access control.

The base Wan_start ruleset will protect from any inbound attempt. Did you set, within the SPI, the "Block unsolicited ARP"?

This I believe depends on installation, as there is an option to auto-create rules

Due to the programs you use (P2P clients) tightening rules could lead to problems for those applications, as they do like to use many remote ports.

 

yes i did, as well as set it to logging.

yes there is, which i used and created many trusted entries. and i am sure most of those are safe. for the purposes of this thread, i wanted to make you aware that a lot of processes have network acesses, by virtue of the trusted status provided them by Prosecurity.

that is an interesting point, considering one of the threads i read last night was almost entirely devoted to helping a member get his utorrent to work in CHX. though outbound security is more of a priority for me than P2P needs.


Mike

 

I was actually unaware of rules made by PS,.. basically due to as I always prefer to make all rules myself. I will need to take time to look at this, and will certainly make reply onto the PS forum thread I have just seen (due to your post, and your thread there).

Please direct to thread so I can review.
With most P2P software, for this to give the user better download speeds (etc) a need to allow inbound connections, or inbound UDP is required. This can be easily done within CHX by creating a "force allow" rule. The inbound is still filtered by the SPI, so illagal packets are dropped. (I would like to see your thoughts on what is filtered out of P2P comms by CHX, most are attempts at port spoofing or illagal packets at reset attempts. It will open your eyes)

 

Ok then, down to basics.

If you look at this ruleset, this gives basic outbound, but, you will need to have the "force allow inbound DHCP" rule (included with the Wan_start rules) and need to allow outbound DHCP broadcasts.

We can go through the rules, what they are/do, and the entries needed. before you set them.
When we do start to change the rules, if you do find problem with connection, then simply save the current ruleset, delete them, and reload the default Wan_start. You can then always upload the problem ruleset to be checked.

 

very nice Stem, thanks bunches!


Mike

 

We start where? From an already defined "strict" ruleset?,

As I stated, this can be a start, not all rulesets/ needs can be placed within a Packet filter ruleset.

Look at that ruleset, what do you think,.. opinion/thoughts

 

[/QUOTE]

sorry Stem, just got back from airshow. iam looking at the rules now. i will edit this post in a few minutes with my understanding or lack of understanding of how i can apply these rules to my ruleset.

 

okay,

here is the one outbound filter i have managed to set so far:

http://img176.imagevenue.com/loc401/th_92490_DHCP_OUT_Rule_ed_122_401lo.JPG

i hope this is correct. the force allow in for DHCP is present already.

btw it looks as if i can create these filters, keep them disabled so they do not impact my connection, and give you an opportunity to check what i have done. as long as i remember to check the 'disable' box i should be okay right?


Mike

 

DNS outbound rules. i used ipconfig /all command to get the addresses and i then made a defined IP list i am assuming they are static. if necessary i will call ISP (typically 45-60 min hold to get through):

http://img144.imagevenue.com/loc1029/th_94650_Outbound_DNS_Filter_122_1029lo.jpg

 

hey Stem,

here is the filterset i have built so far. i did not get as much done as planned. i worked some on Prosecurity rules first. i will also post the individual filters for your review tommorrow...oh this is tommorrow!

http://img159.imagevenue.com/loc749/th_11817_Filterset_todate_122_749lo.jpg

thank-you


Mike

 

Block TCP SYN Filter:

http://img45.imagevenue.com/loc1158/th_56178_TCP_SYN_Inbound_Deny_122_1158lo.jpg


Do I need this filter? it's disabled at the moment.

Outbound Connection For Security Apps Updates:

http://img153.imagevenue.com/loc539/th_56761_Outbound_Connections_For_Updates_122_539lo.jpg

i made this filter so SAS, A-Squared free, AVG 7.5 free could connect out for updates. i put the IP adresses and used ports in the corresponding list within CHX. the addresses/ports i still do not have is for NOD and Prevx1. emailed Prevx for IP numbers and Ports and received some bizarre answer regarding a Norton uninstall tool when i mentioned absolutely nothing of having a Norton product on my system. hopefully i will have better luck with my second request.

Outbound Web Access Filter:

http://img111.imagevenue.com/loc497/th_57723_Outbound_Web_Access_Filter_122_497lo.jpg

this is what i have so far, i still need i guess filters for sending receiving email (Outlook 2003 do not use Outlook Express at all) and also filter/s for controlling services. services are perhaps my biggest nemesis as i usually have no idea of what they are doing and when to allow or disallow connections for them.

TIA for any and all input.


Mike

 

Hi Mike,

You appear to be doing OK.

Block inbound SYN rule. You still have in place the inbound UDP&TCP_NO_SYN rule. So it is un-needed.

Nod updates on HTTP(remote port 80)

Edit:

I see you are placing IP`s for your updates. There is no point in doing this for a packet filter, unless you are going to also restrict your browser, as you will need to add a rule to allow outbound to remote port 80 (so you can browse)

 

okay deleted that.

okay i removed the IP addreses. restricting the browser is a mountain i won't climb.

other than creating filters for email, what other outbound filters will i need? my big concern is how do i tame svchost persistent request for connections.

i know i have netbios restricted, but the various srvchosts from time to time ask for connections and i never have enough information as to what they are connecting to, and why, to know for sure whether to allow or disallow.

are there any filters i can build that will give them the access they need when they need it and nothing more?

also i downloaded the rar file that contains the ver 3 help files. but they seem to be nothing more than html that redirects me to the now defunct website. am i not doing something right? i have and have read the 2.85(?) help, but it seems the 3.0 files have more info (just from looking at the index, the only part of the website still up)

let me know when you think i have the filters necessary to give this app a test run.

thanks for all of your help!


Mike

 

For such as CHX, this will not give any popups for connections, it will either allow or block (depending on rules set)

Have a look at these 2 posts, there is info that will help, certainly with anything shown as blocked within the logs.

The online manual for CHX3 can still be found here


When you think your ruleset is close to complete, post this and we can go through anything that can be added/edited or removed.

 

hey Stem,

good news...mostly! i actually finished setting up CHX-I last night, and took the training wheels off. result-success. i was able to access the web, send receive email, all programs that neede to be able to access servers for updates, were able to. sheilds-up showed ports as stealthed, and even better, my computer was running around 60 pounds lighter over previous configurations, even with the addition of bitmeter2 which is pretty heavy at around 23 pounds (mb) all in all my objectives were met. then i uninstalled it.

i found two annoyances that were deal-breakers. the first in reading one of the threads you referenced one member posted an image of a IP connection tool he was using to illustrate something. i had never seen this tool before so i googled it, found it, read about it, liked it, downloaded it, and put it on my system. for some reason whenever i would start CPorts, CHX would lose its connection and i would have to reboot. it also would just arbitrarily lose the connection, for no apparent (to me) reason.

but it is the lack of ongoing development and documentation, that really killed it for me. as i mentioned i have the help files for version 2.8, which i have read a couple of times, it's useful to a degree, but apparrently ver3 added functionality that is not covered. i did not want to burden you or anyone or myself with a littany of "what is this?" "what does it do?" "how do i use it?"

as i was setting up CHX over the last couple of days i kept sseeing references to 8signs FW/PF here on Wilders and a direct comparison at http://www.mntolympus.org/phpbb2/viewtopic.php?t=2032&sid=871947988a728a8ce5a91bd9835cd7de so after i determined i did not want to live with not having formal support, i began reading everything i could find on 8 signs, and around 3:30am i decided to take the plunge and download it.

functionally it is very much like CHX, in fact even though it's referred to as a firewall i see no distinction between it and CHX. it, as a result of continued development, is a much more polished app. the edges are rounded off nicely. something totally indespensible to a greenhorn like myself is the totally detailed, thoughtful, well laid out helpfiles. a complete godsend for noobs. and each function comes with a context help file that lays out wonderfully what the function is, how it works, and what it is used for....nice! it isn't cheap at about $50.00, more than i am usually predisposed to pay for a firewall. but for such a well developed program, and once set-up properly, to have a secure, stable, reliable, and light packet filter, that will not bug me with ANY pop-ups (yet with such a comprehensive log-file one can know everything passing in and out of their system and manage that activity) i am definetly willing to hand over the dough.

Stem it's your introduction to the concept of packet filters, that has led me to a product that i believe will fill this niche in internet security on my computer for possibly many years to come. through your patient guidance i have learned plenty. with the building blocks you've provided, i am much more sure footed and confident in my ability to build effective rules/filters for securing my pc in the future. though not with the app we started with, the result is the same: Mission Accomplished!

Thank-You


Mike