Provided CHX-I better inbount protection than OA or Cf3?

Discussion in 'other firewalls' started by testsoso, Nov 28, 2007.

Thread Status:
Not open for further replies.
  1. testsoso

    testsoso Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    137
    CHX-i is looked like a very basic development of a firewall, it has even no rules in it.(may be i just don't understand it)

    but after reading some post here, i get the conclution, that CHX-I can protect better from ARP attack, and has full SPI.

    why all other big firewalls: OA, Comodo 3, Webrootfirewall, jetico 2, ZA, OP, ...doesn't have those features?

    the development is always suprising, first was the leak test, an older Firewall like jetico 1 was the best, now we have this CHX-i, and both are really difficult to use.
     
  2. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    They are "difficult" because they both rely on massive user set-up, making rules for all connections. After all, a "firewall" is just another word for a "rules manager" for what goes in and out of one's computer.

    Sam
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    testsoso, CHX-I doesn't come with rules by default, you have to make them or import.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    There used to be a 'sample' rule set for CHX which would basically get you up and running and protected inbound with just a couple of rules, pretty simple actually. Then you could take it from there and modify/expand as needed for your setup. I don't know where one can find any of the rule sets that used to be floating around nowadays, since CHX development has ceased etc. It's not an install it out of the box and forget it type firewall, but it's also not too difficult to set up either.
     
  5. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    The wan_start ruleset provided by Stefan, the developer, gives a complete and secure inbound protection. It makes all ports filtered, or stealthed. Then it is basically like Windows Firewall to allow exceptions. But whereas Windows Firewall allows adding exception by program/application and port, CHX-I will allow you to make rules based on ports only. You can use the logs to see what ports your applications listen to. Also, you may need to add a rule or two if you are on a domain. Additionally, you can also close down outgoing ports.
    I actually find CHX-I pretty simple but effective. I've been using it since I can't remember when. As long as I'm using Windows XP, maybe another 5 years or more, I'm going to continue using CHX-I.
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    So in case malware opens listen port that is allowed by CHX-I, there is no way to resist it ?
     
  7. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Uh, how did the malware get on the pc in the first place?

    Also, it depends on the rule you setup and what you allowed to tell you the truth.

    To put it simply, just use a firewall you are comfortable with and understand. THe fine grain of control and logging you will get from firewalls with more advanced inbound protection won't be worth it since you probably won't be able to get it done correctly, thus opening up a hole so your pc is wide open to attack. Also, if you do get it correct, then you will have no idea what to do if something goes wrong, you need to allow in an application, or if the information someone is telling you is correct. Just use a firewall you are more comfortable with that understands the user won't know as much and will let you be online safely.

    If you want to start learning about firewalls, first try googling about information on TCP/IP, then try a "harder" firewall on a pc that is not directly connected to the internet (like behind a router). Play around, test it out, try scanning from inside your network, etc.

    Cheers,

    Alphalutra1
     
  8. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Scenarios are numerous. Starting from email message ending with childrens, cd disks, new nice utility. Yes, with paranoid security policy the ways are quite limited, but in real life even top-security schemes used to be defeated. So the question "how did malware .." is not valid here, just because we review the _common_ case, not special case of computer guru with a strict security policy in mind.
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Again, this then approaches the issue on whether or not a firewall should control infections already on the pc, but this is for another thread and has already been covered pretty extensively in other various threads which have occurred in the past month such as this one. Each person has a different opinion and there are different camps on the matter, but if an application is designed to do one thing (such as just control network traffic), then it should do only its job. That is what the CHX-I developers believed and how they designed their product.

    --edit--
    If you really want to discuss the matter, then let's continue it in the thread I linked, or a more recent one if there is one. This thread is about inbound protection and I would hate to start confusing people

    Cheers,

    Alphalutra1
     
    Last edited: Nov 29, 2007
  10. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This is the matter of taste _only_ ! There is no Law of Nature that would state it. But there are some considerations that move us to the quite opposite side. There is some set of the security tasks that cannot be covered by any narrow specialized application. Then there appears a need to have some set of the different applications. Then there appears a risk of incompatability, some data doubling and some functions overlapped. So ideal case would be a highly configured suite with common setup and database where you could turn functions on and off. But the problem here is real life. No one suite is ideal ! And the more complex it is, the more chances it will jump out of the ideal implementation. Still, as for me personally, I prefer a suite to a set of different programs. For one it is cheaper :) for two it is less risky for incompatability issues, for three it is much easier in support !

    PS. But actually ideal would be a case where all these tasks were solved by OS.
     
Thread Status:
Not open for further replies.