Kerio 2 and CHX-I

Discussion in 'other firewalls' started by Kerodo, Mar 26, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Just tried an interesting experiment here tonight. I installed Kerio 2.1.5 and CHX-I, so that both are running concurrently. They appear to coexist nicely, without any visible problems.

    Kerio seems to catch all the incoming and outgoing traffic, rather than CHX-I. I see all the usual stuff in the Kerio logs, and nothing in the CHX-I logs, with one interesting exception. Now, when an occasional fragmented packet gets thru Kerio, it's caught by CHX-I and logged. So there's no more of that outbound ICMP type 3 anymore to random addresses (the response to the incoming UDP fragments that get thru Kerio). CHX-I catches whatever gets by Kerio.

    For anyone who was bothered or worried about Kerio's fragmented packet thing, this would appear to be the solution..

    My original idea was to try to run CHX-I and add Kerio for outbound app control. However, rather than CHX-I catching inbound traffic, Kerio seems to get it first, so CHX-I is pretty much defeated there. But as a backup for Kerio, it works well.
     
    Last edited: Mar 26, 2005
  2. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Kerodo...any other visible probs concerning both are running at the same time....& any advise how to configure CHX-1 along with BZ ruleset for Kerio? :cool:
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    MushfiQ - No problems running the two together. I simply have CHX-I set up to allow all outbound traffic, and only allow inbound according to stateful inspection, with a few force allow rules inbound for dhcp resonses. CHX-I is a little different to set up, and I would suggest you read the online documentation for a good overview. Also perhaps some of the CHX-I threads here at Wilders.
     
  4. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Sounds good :D

    I've installed CHX-I and I'm trying to learn how to set it up.

    It would be great if you could provide some screenshots of your filters.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    My filters aren't going to help much. My CHX-I setup is very simple here. I just took the sample filters from the CHX-I web site and added a couple of force allow inbound rules for dhcp that I needed because I have 2 dhcp servers and the reply comes from a 2nd server. I allow everything outbound, so there's no outbound rules at all. Stateful inspection (which you MUST turn on from the Interface Properties menu) takes care of what is allowed in.

    Kerio 2 gets all incoming and outgoing packets first. So your Kerio rules will control everything. I'm pleased with the results so far. Seems to be working well, and I'm really happy to be using Kerio 2 again. It's always been my favorite.

    PS - The best way to learn CHX-I is by reading the online documentation (in my opinion anyway). Then you'll understand the basics about how CHX-I works. It's different from your typical rules based firewall. But not that hard to learn.
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    CHX-1 is different from other rule based firewalls in several ways. For starters, nothing is blocked until you put in some rules to do that. Next one up is the order of the rules means nothing. It uses a system of priority levels. All of the sample rules that I have ever seen do no comprehensive outbound filtering.

    It has its own logic, and unusually fine control over ports, addresses and packet attributes can be achieved. It is not application aware, but you can do things like limit sending mail to certain IP addresses.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    It also has some nice features like IP lists and Port lists.

    If it had app control I would rate it close to #1 if not #1. But adding app control is apparently not on the developer's agenda any time soon. :(
     
  8. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    No it's not! I asked Stefan about this on a few occasions and he shares the same knowledge as James Grant from 8signs! That App filtering is Illusionary. I myself, like to control certaint apps from calling home or communicating at all. So If I do use CHX-I, I use it with LNS application filtering only. No Network driver. There is another fw that is a ZA front end clone that Phant0m used in conjunction with Chx-I, I just forgot the name. (I believe it was called, 'Privatewall') It seemed to work well too... I wonder how well Kerio 2.15 and CHX-I would stand up against a LAN scanner? Kerodo, have you done any local tests on your system after installng them both?

    CU
    Jazzie
     
    Last edited: Mar 27, 2005
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Jazzie, no real tests here. Just observing things. They seem to work well together so far. I'd be interested in learning more about that Privatewall that Phantom used also...
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Be warned that if you allow traffic in Kerio, but try to block it in CHX, there is a chance that it might show that CHX blocked it in its logs, but in reality the traffic was actually fully allowed. I've seen this happen when I used Kerio, and LnS at the same time, Kerio allowed it per my config, but a LnS rule supposed to block it, it didn't work, however apparently did falsely log that it blocked it.

    Its really much better if you use a hardware, and software firewall to avoid conflicts like this.

    I've also never been able to reproduce your icmp 3 issue...
     
  11. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Kerodo- OK no problem. I just checked the site for privatefirewall and it was not the firewall in question. For the life of me, I can't remember the name. But it was a ZA Clone none the less. I just installed CHX-I just a few minutes ago, have it in conjunction with LNS. Works very well, as expected. :)

    BlitzenZeus--
    I agree, but disabling the Network adapter within LNS and having only the app filter enabled will remove any resouce and kerrnel driver conflicts....

    CU
    Jazzie
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for the input BZ.. I'm observing here and am a little wary about the situation, but so far it looks ok. I prefer to just use one software firewall also, so this combo may not last too long for me. We'll see.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Jazzie - Using CHX-I and LnS together, is it just simply a matter of unchecking the network filtering in LnS's interface? Or are some other registry changes needed as well? If the LnS driver is loaded, wouldn't there be conflicts as BZ mentions?
     
  14. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    That's it, well you have to also remove the inet filtering option (checkmark) and the network adapter, under options. And it will be a good app filter/inet filter combo from both working together. I have not found a conflict yet! Recource or otherwise.... It is alos a good idea to remove all the rules (not just disable the inet filter!) Of course, feel free to test this yourself! :)
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Well, I just looked at my CHX-I logs and am seeing some weird things that shouldn't be, with Kerio running, so I think maybe BZ is right and it's not meant to be (the Kerio/CHX combo).

    Jazzie - I have removed Kerio and installed Look N Stop now with CHX-I and unchecked the appropriate boxes in LnS for internet adapter and filtering. Sounds like a good combination to me. I'll try that for a while and see how it goes. Thanks. ;)
     
  16. Arup

    Arup Guest

  17. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Arup-

    Thanks for replying! No, that isn't it, but close. It has been a while since I tried it, eight months ago, so I forgot! But will do some research myself and see.

    Kerodo--
    Also forgot to mention that you should uncheck everything in the options/advanced, that has anything to do with TCP/IP, such as SPI, name resulution,ect. just have app filtering and dll injection enabled.
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Ok, thanks Jazzie.. I had some of those checked.. I'll remove 'em...
     
  19. RKBA

    RKBA Guest

    I think what you're looking for is called Alert Wall
     
  20. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Thanks RKBA, that is exactly what it's called! Man, I couldn't remember the name. but knew it was a ZA Clone. I just remember that it worked good together with CHX-I! Here is a link to it:
    http://www.alertwall.com


    Regards,
    Jazzie
     
  21. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Jazzie-

    Not trying to hijack the thread, or anything, but what were you using before putting CHX-1 on for a look?
     
  22. peterc

    peterc Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    37
    Location:
    Australia
    Here's a site that can give all the info required to use Kerio 2.15 with CHX-I together and a lot more info

    h..p://members.shaw.ca/BIND-PE_and_ICS/index.htm

    peterc
     
  23. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    peterc-

    Are you sure they are using Kerio and CHX on the same box? I thought they were using CHX on a pc that was used as a gateway, instead of using a router, with Kerio on the client machines.
     
  24. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hey Diver, I was using 8signs and LNS! They are both good packet filters! Why do you ask?

    CU
    Jazzie
     
  25. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Jazzie-

    Curiosity, you know, the same thing that killed the cat. I think that 8signs is easier to understand than CHX-1 as the rules are processed from the top down like Kerio and a lot of other firewalls, and the interface is more "normal".

    Where I run into a corner with 8signs is with eMule. eMule is not a well behaved app. In order to run properly, it must send out UDP on a random port (probably limited to the 1024-5000 range) and receive udp on that same port. This is in addition to receiving UDP on a designated port, which is optional. With 8signs there seems to be no alternative to opening 1024-5000 for udp inbound to get that function to work. Of course, in that range there are several windows components listening on other random ports, so I don't see a solution with 8signs. OTOH, CHX-1 has psudeo stateful UDP, so it will accept back the eMule UDP without allowing connections to initiate on the other listening ports. Am I missing something about 8signs, chx-1 or both?

    While asking you about that, I also wonder what you do regarding preventing termination of LnS. I trialed it a couple of months ago and it seemed like it could be terminated and the application control would no longer work. I had the packet filter turned off for that test. Again, did I miss something?

    -Diver
     
Thread Status:
Not open for further replies.