LnS + CHX-i

Discussion in 'other firewalls' started by ita?, Jul 1, 2005.

Thread Status:
Not open for further replies.
  1. ita?

    ita? Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    6
    is it possible to make coexist TCP Stateful Packet Inspection supplied by LnS with that one of CHX-i so as to take advantage of the ability of this last one to filter the UDP/ICMP packets with its pseudo-SPI?

    in other words, to use LnS TCP SPI + CHX-i UDP/ICMP pseudo-SPI....



    sorry for my english.
    I hope you have understood what I wanted to say.

    thanks in advance.
     
  2. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi ita,

    Your English is fine and welcome to Wilders.

    I'm sure someone smarter then me will be along shortly to definitely answer your question. I think Jazzie was or is using LnS with CHX-1. Seems to be a good combo to go together if you also want outbound app control.

    But I see no reason to not implement SPI for TCP/UDP/ICMP in CHX-1 along with LnS.

    Seems like CHX-1 is getting a good reputation around here and right now I've got it set up on my PC and it stealths all ports by itself.

    Regards,

    Jaws

    Maybe Dholiday was right about getting a CHX-1 forum going. It looks likes interest is growing for CHX-1.
     
    Last edited: Jul 1, 2005
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi ita°

    ... and welcome to Wilders :)

    It is not recommended to run more than one software firewall on your system.

    What exactly is it you hope to gain or think is not covered by LnS?

    Regards,

    CrazyM
     
  4. squash

    squash Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    313
    CHX-I implements itself as a driver as part of the kernel. You wouldn't know it's running. It's like you THINK you are not wearing underwear - but you are.

    I don't think there'll be conflicts.
     
  5. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    o_O LOL. What an interesting comparison.... :D
     
  6. Arup

    Arup Guest

    Truly nice comparison, IDRCI should use it in their website.

    CHX is truly unobtrusive, if you intend to use it, all you need is an outbound app filter, thats all.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    It is possible, but it's probably best to use CHX-I for the SPI packet filtering, and turn off the internet filtering of LnS and just use it for outbound app control. There's really no need to have both filtering normal internet traffic. There also could theoretically be conflicts. I don't know that there would be, but I am just saying that it's always possible. At any rate, double filtering like that certainly is not needed. CHX-I does an excellent job by itself. Just use LnS for app control and you'll be all set. ;)
     
  8. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Perhaps I'm confused but I think Stefan posted the other day that SPI can be used without the presence of static rules in CHX-1. Nowhere did he mention the use of another firewall with CHX's SPI, but then why would you use SPI without some kind of other firewall or filters?

    Stefan said:
    I take this to mean you can apply SPI in CHX-1 without any filters, so you would not actually be filtering twice, but now I'm not sure if using just CHX's SPI and all of LnS firewall would cause conflicts. Since Stefan posted in the context of using a different firewall with CHX's SPI, I assumed there would be no problems. Good question that needs a definitive answer.
     
    Last edited: Jul 2, 2005
  9. DRI

    DRI Guest

    LNS and CHX-I works fine together, just have to turn off the inet filter and remove all the rules in LNS (including all the packet options!) Like CrazyM stated, running two packet filters will result in conflicts under a heavy load. (IE: p2p/multiple connections). ZA works the same (Just have to turn off the inet filter). Then the question is, why use two packet filters if, one (CHX-I) implements true SPI and the other simulatedo_O?

    cheers
    DRI
     
  10. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    HI all!

    I have tested just about every firewall, that didn't have dedicated packet filtering [that couldn't be disabled without app filtering], there is. The two I know that work well with CHX-I, is ZA/ZAP and LNS. Some here, like Kerodo and Arup used Jammer under Win2k without a hitch. I am currenly using XP Pro, so I can't use/test it... There is another that worked well, but no longer avaible is Alertwall. The company sold the source code, so it is no longer avaible..... I would like to stress (which I have on more than one occasion), is that I don't use an app filtering firewall to deter 'leak tests' or malware, I use in to control bandwidth and what calls out or home.....

    CU
    Jazzie
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    Jaws - You bring up a good point and that's what I got out of Stefan's post also. However, my response to it all would be, why bother with LnS's filtering at all when CHX-I is far superior? And I think LnS only does TCP SPI. Seems to me that it would be best to just use CHX-I for internet filtering, and then supplement with LnS or ZA or Jammer for app filtering only. With CHX-I filtering internet traffic, there is simply no need for another firewall doing the same.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    Hi Jazzie.. I actually preferred Jammer for app control with CHX-I. It gives me a simple notification when an app tries to connect out, with an allow/deny choice, and that's all I wanted, nothing fancy.. Works well for me.. :)
     
  13. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi Kerodo, glad it is working for you. And as I hear light on resources as well.. I am using ZAP which uses about 9 megs, so that isn't too bad..

    Regards
    Jazzie
     
  14. Arup

    Arup Guest

    Jammer combined with Antihook and CHX makes a truly good combination.
     
  15. ita?

    ita? Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    6
    thanks for the numerous answers!

    I have noticed that persons considered between the best minds in Wilders have already answered ;) ....

    i'm honored :D
     
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Jazzie1:

    Could you give me an example of what you mean by controling bandwidth?

    Are you mainly concerned about privacy and blocking applications like media players from reporting back, or is there actually some non-malware app stealing enough bandwidth that it needs to be blocked for performance reasons?

    Generally, my approach to the privacy problem has been to use a host file.
     
  17. Stefan_R

    Stefan_R Registered Member

    Joined:
    Dec 12, 2004
    Posts:
    47
    Although it makes no sense to run two or more drivers performing the same function, there are specific circumstances that would allow for peaceful co-existence of different filtering modules. Microsoft's architecture allows for filtering at various levels (e.g. NDIS, ip filter hook, firewall hook and so on) so two or more drivers filtering at different levels should not interfere with each other.

    From a functionality point of view - CHX SPI can be enabled within the context of a separate static filter - but this approach violates one of the principles of implementing a robust security model: whenever possible do not increase a security system's complexity. The more technology you throw at security problems the less secure the system becomes.

    Generally - people at home are less concerned with network acls (perhaps because there is nothing spectacular about it such as pop-ups informing asking you if you want to allow an overlapped TCP segment) and more concerned with malware. For this purpose and for the sake of keeping your system's complexity to a low - one should -by all means- make use of one the many applications that provide strong coverage in this particular area such as LnS or ZA.

    Best Regards,

    Stefan
     
  18. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi all!

    Hey Diver, long time no hear. what I was referring to is, certaint apps that I have that call out, which I want to control, when it happens, such as MIRC with Zirk script. It likes to update it self every 25 mins (can be turned off, but still likes to call back to the host for an update) which isn't so bad, as long as I am not downloading anything! So lets say I am downloading a hudge file and an update comes for something else at the same time, I want to be able to control what gets the priority of bandwidth (Most likely the download) :) Otherwise, the bandwidth is sucks from my download through IRC to another app...

    Stefan-

    Good hearing from you again! I look forward to the final release of CHX-I 3.0..

    Take care
    Jazzie
     
  19. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Great statement! Can I quote you for use in my signature.

    I, like some others here, don't feel the need to use outbound app control. I've been testing out CHX and feel perfectly safe using it by itself. Normally I use just a router but I'll be installing CHX on a friends PC that they don't know what to do with outbound app popups anyway.

    Regards,

    Jaws
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    If more firewall vendors followed this principle then we'd truly have some more great products like CHX.. :)
     
  21. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Jazzie,

    Thanks for the answer. I am around frequently, but do not post that much anymore.

    Stefan says it all. KISS.
     
  22. DRI

    DRI Guest

    One can truely test their CHX-I set-up from behind a router, by placing them selfs on a DMZ and letting CHX-I filter in both directions. Works very well. I also look forward to the final release of the 3.0 version...

    Cheers
    DRI
     
Thread Status:
Not open for further replies.