NetVeda, CHX-1 or 8Signs?

Discussion in 'other firewalls' started by jon_fl, Jun 9, 2005.

Thread Status:
Not open for further replies.
  1. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Which is lightest on resources, easiest to use, tightest security?

    Would you replace LNS with any of these? :doubt:
     
  2. Arup

    Arup Guest

    CHX, followed by NetVeda, however no outbound protection with CHX and you have to write your own filters.
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    CHX is easily lightest on resources. It's better than 8Signs also, since it does stateful UDP and ICMP whereas 8Signs only does stateful TCP. So of those two, I'd pick CHX. CHX however is not easiest to use. NetVeda would probaby be easier to use, and it also has outbound app control where CHX and 8Signs do not. So if outbound control is needed then NetVeda would be best. If you don't need outbound control then CHX would be my choice. I would pick either of those over LnS, since LnS has a memory leak that hasn't been resolved at the moment.
     
  4. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Kerodo,
    Are you still using CHX-I solely (no other firewall)? I'm using CHX-I (stealth rules with some outbound restrictions) plus ProcessGuard plus Kaspersky 5.035 (with intrusion detection turned on). This arrangement seems to work fine for me.

    Have a good day. :)
     
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    If it is a firewall you want to install and use without having to write rules, then Netveda is probably the choice. It offers both inbound and outbound protection. It's pretty good as installed, although there are a few other boxes you can check to make it even tighter.

    8Signs/Visnetic is a very good firewall, though. If it offered outbound protection, I'd rate it number one.

    I don't know about CHX since it sounds like something for more advanced users. I've been tempted to download and try it, but writing rules is way beyond me at this point and maybe forever.
     
  6. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Is it possible to try Netveda without first uninstalling LNS?
     
  7. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I would uninstall LnS before you install Netveda. It is not recommended to have two software firewalls running together. I have heard some people have no problems running things this way but imho, its better to have one installed at a time.

    You could try to disable LnS and then install Netveda, but I feel the saftest choice is to uninstall LnS and then try Netveda.

    BTW, you might want to try Kerio 2.15. It is not as easy to setup as Netveda but having tried the two, I am sticking with Kerio. Its pretty light on resources as well, and lighter than Netveda.

    HTH,

    Jag
     
  8. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Can you give details on this memory leak in LnS?

    I also think NetVeda is quite ok from a beginner perspective. I installed it on a friend's machine and she's very happy with it. She's a first time firewall user.

    I'd pay for something that is fast/easy on resources, statetul tcp/udp (with no arbitrary connection limits), very easy gui and outbound application specific rules (i.e. give each application access rights based on protocol/address).

    NetVada is on top of my list so far, but I'm still looking for other suggestions <hint, hint> :)
     
    Last edited: Jun 10, 2005
  9. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Since Kerio 2.15 was mentioned, let's throw that one in the mix. Comments please.
     
  10. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    I am trying out NetVeda today for the first time. Overall, I like it. In fact, I plan to install it on my mom's computer and anyone else I know who doesn't know much about computers. IMHO, it's not a good firewall for clueless newbies to set up themselves, though. BTW, I'm not implying you are a newbie, just making a comment about NetVeda.

    One thing I don't like about NetVeda is that it doesn't seem very flexible as far as creating your own rules, or customizing the permissions for each application. For example, I like to restrict applications to the few ports that they normally use, but I could not see any way to do that with NetVeda. Of course, I've only been using NetVeda for less than half a day, so I might have missed something.

    Phil
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I am currently using the old ZA Plus 4.0. I like CHX-I when I feel bold and don't care about app control, but lately I have wanted it, so I am using other firewalls unfortunately.. :)
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Regarding the LnS leak, all I know is what I have observed here on 2 separate occasions. I ran LnS for a week or so. Rebooted after install, and it was using maybe 3 mb ram. Then slowly, over a period of only a day and a half, that 3 mb increased to about 15 mb and climbing, with no end point in sight. I tested it twice with the same results. I'd say more ram usage was fine, but not to that extent for LnS. It should remain in the 3-7 mb range I would think. I had the feeling that if I ran it for a few more days it would keep on climbing.

    It is being discussed some on the LnS forum but I haven't read there for a few weeks, so I'm not up on the latest.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Kerio 2.1.5 is very popular and also quite good. The only issue I know of with Kerio is the fragmented packet issue, where it apparently allows fragmented packets in thru the firewall without logging them or blocking them. However, it is not likely to cause any great problems. I would recommend Kerio 2 probably over LnS, even with Kerio's flaws..
     
  14. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi all!

    The only reason one would use an app filtering firewall in tandem with CHX-I, is to monitor and control bandwidth and applications calling out/home. ZA/ZAP (component control), work best with respect to the above. (I-net filter turned OFF)...If you don't care about app filtering, then CHX-I is a very good SPI packet level firewall that is easy enough to configure and use. Plenty of rule sets for any type system on the i-net.

    Regards,
    Jazzie
     
  15. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Jazzie,

    Sorry Jon, don't mean to hijack your post but maybe this will help you too. Mods if you think this should be in a separate post, be my guest and move it.

    A friend of mine begged me to take a look at his computer. I don't like messing with other peoples computers because if something goes wrong , I'll get blamed. Anyway he had *a lot* of malware, spyware, tracking cookies, hijacked home page and trojan on his machine.

    After doing a bunch of scans with various AVs and ATs, his machine is OK now. I also installed various adware, spyware programs and Ewido and showed him how to update them and do scans. He originally (it's his first computer) had AVG and ZA free on the computer but they were never updated. I asked him why not and his answer was when a popup from ZA showed up he was afraid to give permission so he always answer no. This is one of those times when outbound app filtering is more detrimental then being a good thing.

    I would like to install CHX-1 on his computer, but I suck at writing rules. I installed CHX on my computer (read the manual) just to play around with it to see if I could figure it out but no dice. Too many options and boxes to check, I'm afraid I would check the wrong thing. For now, I've enabled IPSec and loaded the AnalogX configuration file on his machine and uninstalled ZA.

    My question is would you or anyone else care to post rules for a single stand alone machine on a DSL HSI connection? He doesn't want to spend the money on a good router (which is my preference, I don't think the cheap routers are worth the bother IMHO). He basically just browses the internet and does his E-mail. I think in one of Divers' posts about CHX-1, he said all he needed were five rules. I'm not a newbie to computers but rules writing makes my head spin. I am familiar with TCP, UDP and some of the ports they use. If anyone would care to PM me instead of post here, that's OK with me, but I think other people may be interested too. If you think this would be a fruitless endeavor I'll understand.

    Thanks,

    Jaws
     
  16. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi Jaws!

    Here is a link to Treewalk's site:
    http://members.shaw.ca/BIND-PE_and_ICS/chxi.htm

    It will show you how to set up and download different rule-sets, depending on what type system you have!

    The sample rulesets from IDRCI are a good start:
    http://www.idrci.com/downloads/samplesets.zip

    Those will protect you and make you stealth allowing everything outbound. If can tighten them up more, by changing the TCP/UPD SPI rule to lets say, Inbound from any to port 80 (HTTP) except SYN!--Inbound from any to port 443 (HTTPS) except SYN! ect.. ect...

    Allow Whois ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,43,(!) SYN

    Jazzie DNS,Filter,Force allow,4 - Highest,Incoming,Any,Jazzie DNS,192.168.1.101 / 255.255.255.255,UDP,53,1025-5000,- NA -

    Allow MSN outgoing on port 1863,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP+UDP,Any,Any,(!) SYN

    Block Netbios Outgoing,Filter,Deny,3 - High,Outgoing,Any,Any,Any,UDP,137-138,137-138,- NA -

    Allow Https Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,443,(!) SYN

    Allow SMTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,25,Any,(!) SYN

    Allow Pop3 Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,110,(!) SYN

    (Disabled) Allow XDCC through Mirc outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,35532,(!) SYN,,

    MIRc allow outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,6660-6669,7000,(!) SYN,

    Allow FTP Outgoing,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,21,(!) SYN,,

    Ping others ICMP,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,ICMP,- NA -,- NA -,Type: 0, Code: 0,

    Allow UDP responses(UDP Stateful option on),Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,UDP,Any,Any,- NA -,,

    (Disabled) Jazzie DHCP,Filter,Force allow,4 - Highest,Incoming,Any,192.168.1.1 / 255.255.255.255,192.168.1.102 / 255.255.255.255,UDP,67,68,67,68,- NA -

    Block ICMP type 10,Filter,Deny,3 - High,Outgoing,Any,Any,Any,ICMP,- NA -,- NA -,Type: 10, Code: 0,

    Allow HTTP Outgoing ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,80,(!) SYN,,

    Blocked Spoof,Filter,Deny,4 - Highest,Incoming,Any,Ingress Filters - Reserved IP Addresses,192.168.1.101 / 255.255.255.255,Any,- NA -,- NA -,- NA -

    (Disabled) Allow Telnet ,Filter,Allow,0 - Lowest,Incoming,Any,Any,192.168.1.101 / 255.255.255.255,TCP,Any,23,(!) SYN

    Blocked UDP Broadcast ,Filter,Deny,3 - High,Incoming,Any,192.168.1.101 / 255.255.255.255,0.0.0.255 / 255.255.255.255,UDP,137,137,- NA -

    Block Netbios Incoming,Filter,Deny,3 - High,Incoming,Any,Any,Any,UDP,137-138,137-138,- NA -


    --------------------------

    These above are an example of mine. I use them along with ZAP (APP filter only!!!) no i-net filter needed by ZAP. It defeats the purpose of having both UDP and ICMP Suedo SPI... Hope this helps....

    NOTE: I have some rules disabled, because I don't use either DHCP or Telnet, but use an occasional download through IRC! :p



    Regards
    Jazzie
     
    Last edited: Jun 10, 2005
  17. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Jazzie,

    This is a great start, thank you very much. Your unselfish help is very much appreciated. Don't know what I would do without the help of the great members of Wilders.

    Best Regards,

    Jaws
     
    Last edited: Jun 10, 2005
Thread Status:
Not open for further replies.