Kerio 2 and CHX-I

Diver-
I agree that Tiny, out of the box, is not the best solution and that the normal mainstream users, should be fine using it. What I was getting at, with Stefan was, that a simple application filter only (No tcp/ip) would help a lot of people that want to control certain every day applications, that either call home or out. That way you wouldn't have to have two firewalls installed in order to get the desired effect. I have LNS (paid for) and CHX-I and they work fine together, but would like to see CHX-I developed even further to also cater to the home user, not just the corporate/enterprise server. Of course this is entirely up to Stefan and CO. I allready knew the answer to my question at the beginning of this thread, I had to ask anyways, figured I might get lucky and catch Stefan in a 'home user' state of mind. No chance! You would be surprised how many security experts, that don't use application filtering!

That is only because they didn't discover IRC, or they just wanted free programs/music!!!

CU
Jazzie

 

I have IRC up and running on my test box. I don't find it so obvious to use, even with the script. Will give it another try.

As for having a lot of connections, that is why we have firewalls, and in particular that is why some of us want the most efficient and effective packet filters.

 

Diver-
If one uses an 'IRC' search engine, ie: ircspy, then IRC can find anything (just about anything you are looking for!) Just have to learn how to use it, to either serve or leech (download)!

Hope this helps you on your way to being more secure than with Emule or Bit torrent!

CU
Jazzie

 

eMule is a real nightmare with all the ports and connections it needs. It is too slow for anything larger than about 10mb, and that is about what I use it for.

Jazzie, I appreciate your tips with respect to IRC, however Bittorrent is screaming fast. I have seen downloads at over 300 kb per second on my cable connection. It has gone mainstream with Linux distros being distributed this way by their developers. Bittorrent accounts for something like 30% of all internet traffic, so just exactly what is wrong with it, because I have used it since it came out without incident?

 

I have seen downloads of 300+ kb/sec on other P2P programs as well. I think emule is just slow. I tried it once and couldn't even get 1 download started after a half hour. Have not tried Bittorrent yet though. Does it take special knowledge to set up or get working?

 

emule is plain slow, tried it disabling firewall and anti virus but no go at all, even trie dout emule+ but still the same.

 

eMule is slow. Tell me about it. It $u(k$. All I know is it is the most popular p2p network now. You can find stuff on it that is very hard to find otherwise. Like I said, I stick to the small stuff, so the lack of speed does not hurt so much.

The way it deals with UDP is really a horse's rear end. I don't know what they were thinking. I can't wait to find something else that is that bad, but I just noticed that Azureus and XBT have some kind of new UDP protocol in addition to TCP.

Bittorrent is easy to set up. Allow it out TCP 1024-65535 and inbound on one TCP port. Default for the inbound port is 6881-6999, but weird ports very high up work better because ISP's are trying to slow it down. Some clients require more than one port. I like Bram Cohen's 4.01 the best. It is minimalist, but does the job. Also, he invented it, so there is less chance that some other programmer screwed it up while translating it from Python and adding features. Azureus is very popular, but it takes tons of memory and always seems a bit buggy. It has lots of charts to watch, but watching downloads is about as much fun as watching the washing machine turn.

 

Diver-
You can get the same or better download speeds with IRC, just depends on the 'BOT' you dowload from. Most XDCC bots are from EDU (UNI) hosted sites, so they scream with bandwidth. Like I said before, I prefer a one to one download than having multiple connections to and from systems that are unknown. Besides it is easier to keep track off the traffic as well... I have seen and heard of people being hacked by hidden streams through Bit Torrent. Ports 6881-6999, being opened on systems for hours on end makes it easier for someone to spoof packets of info to. Not saying that IRC is a (whitehat playground) just better with speed and security, of course, lke anything connected to the net, you can get infected through IRC, if you run certaint scripts or open certaint items. But that goes for any P2P....

If you would like some help on search engines and good channels in IRC, I can help you on that, but PM me for that!

CHX-I-

Back to the topic, I will try Kerio and CHX-I out when time permits. The TreeWalk team seemed to get it and ZA to work with it. I will see if that also applies to WINXPSP2. (There documentation was a little old, before sp2)

CU
Jazzie

 

Jazzie1-

I noticed at SSC your post about running CHX-1 with ZA to keep applications from phoning home. I have been dealing with the offenders in various ways. In some cases like Windows Media player, I don't use it because Media Player Classic blows it away. Strategy two is to turn off the bad behavior. For Quicktime all I do is set it up to not open Hot Picks and automatic updates are off. Eudora can be set to not load web graphics (web bugs). For a few pests I have some useful host file entries:

127.0.0.1 localhost
127.0.0.1 sa.windows.com #F3/search in XP
127.0.0.1 shell.windows.com #Rundll, new network location
127.0.0.1 crl.microsoft.com #some instalers

If anyone has any other addresses where windows components report to, that would be helpful. Unfortunately, the XP help system reports to too wide a range of addresses.

 

Diver,

Media Player Classic is very good but sadly lacks any video controls, for an alternative check out MV2 player which is a freeware and has all the video controls and plays all the formats as long as you have the codecs installed in your system. Check it out at http://mv2.czweb.org/

 

Arup- I don't know exactly what video controls you are missing, but I play the movies in media player classic without any problem. Post processing can be done with Ffdshow. This is getting far afield.

I alson oticed that the latest CHX-1 and the latest Peer Guardian 2 get along much better. Windows used to complain while unloading PG2 when CHX-1 was installed. PG2 is an IP blocking utility for anyone who does not know. The newer PG2 also seems to use more memory.

 

Diver,

PG2 works out quite well alongside Kerio 2.15 too in case someone needs a formidable IP blocker.

For Media player, I mean the color controls like brightness, saturation, hue, contrast etc.

 

Actually, CHX-1 was the only firewall that gave PG2 fits, and now that problem is gone.

Most of that picture stuff you can do in ffdshow, but if you like another media player, have at it.

 

Diver-

Actualy, that whole 'how to' doc: CHX-I & ZAP was an alternative to LNS to add an application filter with Component control to CHX-I. I know about tweaking my host file and other app/system tweaks. There are also some applications I have that I don't want calling out at all... To me, it is too much work to tweak every new app that I install (which I do a lot of) to accomidate not having two fw's on my system. But I appreciate your input on the matter. If anything it gives a better perspective to people who like ZA and the power of true SPI packet filtering with it!!! They work well together, almost too well! People like Arup that need ICS or a NAT gateway should appreciate the alternative that is avaible to them. Phant0m has writen a good posting about how vendors and users are so enfactuated wtih 'leak tests', (app filtering) they forgot about what is more important on the inet side, 'packet filtering'! I myself find the packet filtering more important, but also want some app filtering, but could go without it if need be!!!

CU
Jazzie

 

Jazzie - I am back to CHX-I and Kerio 2 here tonight. Decided to give it another try. This time I'll run both for several days and see what develops.. I too like having some app control these days...

 

Good, please let us know your findings! A good reference point is the 'TreeWalk' page: h**p://members.shaw.ca/BIND-PE_and_ICS/dnsics.htm
(Little past the middle of the page) shows how to set up both ZA and Kerio. I took some info from there for the above doc. The way I understood it, that certaint (if not all rules) have to be removed... For it to work correctly without conflict!

CU
Jazzie

 

Jazzie-

I know you know your way around these little problems. That post was to show my approach, and to make a point about alternatives to using application aware firewalls.

It is hard for me to get excited about using multiple software firewalls on the same box. If it suits you, that is OK, but most users are not going to be able to do the testing necessary to verify if the combination is working the way it should be. I am going to take a look for PhantOm's post on leaks, but please save my lazy @$$ some work with a link, amigo.

By the way, even though I am using CHX-1, I continue to think Kerio 2.15 is a really great firewall.

 

Dont' wish to change the topic and apologize in advance for doing so, I was wondering if using Kerio 2.15+ a program like Harden-It and Secure-It which are freeware be effective, Harden-It strengthens the TCP/IP stack while Secure-It plugs all the holes in Windows.

 

All the holes in windows? lol..

 

Diver--

Just tested out Kerio and CHX-I and there seems to be a memory leak, most likely by the kernel driver. It works, but there are slow downs and lag between apps and connections. So I decided to uninstall and go back to ZA! ZAP works great with it! As far as others testing to confirm it works, is entirely up to them. I just wanted to help and show that LNS is not the only fw that can filter applications with the network driver turned off...Will wait a few days and try with 8signs!

CU
Jazzie

 

At least to me, it would make more sense to run some kind of stand alone sand box app, like process guard or this new Antihook that is being given away for home use. The emphasis of the sand boxes is preventing the installation of malware, rather than the somewhat twisted approach of leak testing which is to detect malware when it attempts to phone home.

Sometimes, it looks like all of this leak test stuff mostly gives the firewall publishers something to crow about. Otherwise, they are stuck with trying to add functions that usually should be somewhere else, like pop up blockers, cookie management or email screening. After all, the basic function of a firewall is no different today than it was several years ago.

LnS may not be the only way to filter applications behind CHX-1 or 8Signs, but the attraction is low resource usage and the ability to turn off the packet filter completely. The negative is a relatively high price for a firewall that you will only use half of.

I also wonder what sort of performance issues ZA will involve. The nice thing about CHX-1 is there is no slowdown when using Bittorrent and connected to 50 other computers.

 

Jazzie - No problems here so far with Kerio/Chx-I. No memory leaks or any problems at all. No slow downs of any kind either. I've been running them for over 12 hours now. The only thing I would comment on again is that Kerio seems to get all the traffic. So CHX-I is running more or less only as a backup to Kerio, catching fragmented packets that get thru Kerio only. Nothing more.

I would prefer to see CHX-I getting all the traffic first, thus taking advantage of it's SPI and so on, with Kerio working only for app control. But it doesn't seem to want to work that way. How does it work with ZA? Does CHX-I get the traffic first and ZA for app control only?

I will continue to run the two for a few days though and try to make sure there's no other problems. Don't know where your memory leak came from. None here. I'm on Win2k by the way.

Diver - What can one do to properly test whether the 2 are working right together?

 

K-

Memory leak? I can feel it right now leaking out of my head

Testing two firewalls at once? Frankly, I don't know how to really test one at a time in a professional way. You can run on line port scanners, but all those really tell you is if your firewall is working or possibly mis configured, if you know what ports are likely to be a problem. The only one that I know of that does UDP is auditmypc, and only one port at a time. That is why I said it is difficult to evaluate and that it is most likely better to run a stand alone sand box, or possibly LnS, due to its modular design. Try Antihook, it is free right now, but it is not perfect either.

 

I've never paid much attention to running 2 firewalls at once before, but it's kinda interesting. I feel like I'm doing something illegal though..

Anyway, running these two is pretty much like running Kerio 2, with a net behind it. Seems ok though. I will look for problems in the coming few days..

 

I've been running CHX-I and Kerio 2.1.5 together for almost a week now, and I've experienced no slow-down or problems at all ^_^