Question about non app FW

Discussion in 'other firewalls' started by gagman, Feb 8, 2006.

Thread Status:
Not open for further replies.
  1. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Hello,

    Some of the FWs with good ratings in those boards are CHX or GhostWall for example.
    Those are FWs without any application control, ie just packet filtering :
    I authorize connections to port 80 is what we can do with them.

    Those FWs needs to work with another soft, like AntiHook or ProcessGuard for example (which I don't know very well).

    Now here is a configuration example (stupid conf maybe, just for test purpose) :
    I want to use FF to surf for http pages
    I want to use IE to surf for https pages

    Using my CHX/GhostWall, I need to allow outgoing connections to 80 and 443, and that's all.
    But that's not enough, for sure.
    So what ? Is my (stupid) configuration example possible to do using GW/AH for example (or whatever) ?
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Unfortunately, that would get you no where :p . You need DNS or else you need to have memorized every ip for every segment of the websites you want to go to(which is impossible). Here are the outgoing rules which I have with my beautiful little CHX-I :cool:

    1) Loopback:

    Direction: Outgoing
    Protocol: TCP and UDP
    Packets' source: Any
    Source Port: Any(you can restrict this to 1024-4999)
    Packets' desination. 127.0.0.0/255.0.0.0
    Destination port: Any

    2) E-mail

    Direction: Outgoing
    Protocol: TCP
    Packets' source: Any
    Source Port: 1024-4999 (local ports)
    Packets' destination: IPs of my e-mail servers
    Destination port: 25, 110

    3) ICMP 3

    Direction: Outgoing
    Protocol: ICMP
    Packets' source: Any
    Source Port: Any
    Packets' Destination: My two DNS servers
    Destination port: n/a
    Specific Flags: ICMP Type 3 Code 3

    4) ICMP 0

    Direction: Outgoing
    Protocol: ICMP
    Packets' source: Any
    Source Port: Any
    Packets' Destination: Any
    Destination port: n/a
    Specific Flags: ICMP Type 0 Code Any

    5) ICMP 8

    Direction: Outgoing
    Protocol: ICMP
    Packets' source: Any
    Source Port: Any
    Packets' Destination: Any
    Destination port: n/a
    Specific Flags: ICMP Type 8 Code 0

    6) Normal Web Surfing

    Direction: Outgoing
    Protocol: TCP
    Packets' Source: Any
    Source Port: 1024-4999
    Packets' destination: Any
    Destination port: 80, 443

    7) DNS Traffic

    Direction: Outgoing
    Protocol: UDP
    Packets' Source: Any
    Source Port: Any
    Packets' Destination: The ips of my two dns servers
    Destination Port: 53

    8. FTP Traffic (Usually turned off)

    Direction: Outgoing
    Protocol: TCP
    Packets' source: ANy
    Source Port: 1024-4999
    Packets' Destination: Any
    Destination Port: 21

    These rules are permissive, and any packet that doesn't match one of these filters will not be allowed through. These will help you be able to successfully access the internet, do e-mail, and do FTP downloads. You of course will need to add to them for file and printer sharing in your network, P2P, Games, etc. I would recommend Ghostwall for starters, and then CHX-I once you feel like you got the hang of things(warning, CHX-I comes with no filters to start out with, so it does NOTHING until configured).

    Happy safe computing

    Alphalutra1
     
  3. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Thanks for your reply, but I think you haven't understood what I meant.
    But you're right, my test config was so stupid I gonna change it.

    Let say you have a soft mail client. You want to have access to your pop3/impa4 servers.
    But you don't want your mail client to access to port 80 (to not let him load web pages in mails).
    But for sure you need web access for your favorite browser !

    So with your favorite CHX, you will have some email rules.
    But the thing is you need to let you mailer access to the network, and you need to have a rule in CHX for web surfing too.

    So... What is the solution now to restrict accesses for the mailer ?
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    To restrict a client application that way with a firewall you would need one that is both application and rules based. So firewalls like 8Signs, CHX-I or GhostWall cannot do it.

    If using a rule based firewall with no application control you can simply configure you e-mail client to not display/use HTML or read in plain text only.

    Regards,

    CrazyM
     
  5. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    OK CrazyM, that's was what I thought, but some posts in those boards put me in confusion.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yep, it's not possible with CHX or Ghostwall. What you need and might want to consider is Kerio 2.1.5 for example. It's a great one for that kind of restricting of apps to certain ports etc. Another one might be Jetico or Filseclab. All are free.
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    you can also combine CHX + AppDefend. The last one enables you, between many other things, to allow or deny applications wanting to connect out (but you cannot configure protocols and ports thought).
    AppDefend is not a firewall, more information at this forum :
    https://www.wilderssecurity.com/forumdisplay.php?f=78

    You can thus keep your favorite packet filter, and have a very basic network application monitoring.
     
  8. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    With CHX + Appdefend, I cannot configure what my example needs (my mailer for pop/smtp only, and not for http) because appdefend is not port-restrictive, only access or not to network.
    Kerio, Jetico, .. are OK, but I really like the way CHX or GW are working.

    I just need something which doesn't seem to exist : a tool with port restriction on an application basis.
    Or CHX + Kerio 2 for appli, but having 2 FW running together... hummmm I don't want that.

    There is no solution for me, maybe my brain has too much strange ideas (will try to change brain).
    Please give me the new "appdefend + port-restriction" new tool, and I will keep my brain.
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    There is nothing I know of that you can run with CHX or Ghost to get what you want without some redundant filtering. If the app port restriction is that important to you, then I'd suggest perhaps either adding Kerio 2 to CHX, or just remove CHX altogether and run Kerio 2 for example, or Jetico. Many folks have used CHX and Kerio 2 together without harm. The total ram use is only about 8 or 9mb, cpu use is nil. It doesn't get much lighter than that. But if running 2 filtering apps bothers you then I'd just dump CHX and go with one of your typical rule based firewalls. That's about all you can do I think.
     
  10. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Hey look, a long post made by you on the exact subject :p
    https://www.wilderssecurity.com/showthread.php?t=72595&highlight=chx-i

    Thought this might be useful info. to those considering the option. Also browse
    http://www.dslreports.com/forum/kerio for some topics on kerio 2.1.5 with CHX-I

    Alphalutra1
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
  12. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I wouldn't know, just joined recently, but hey, I love lookin at old threads to give me info :D

    Alphalutra1
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I do not understand, you don't want a firewall with application filtering (see title "Question about non app FW"), so you are required to use a packet filter (CHX for instance), but on the other hand you want to restrict particular apps (your email client, browser, etc...) to only few ports.

    So on hand hand you refuse app control, and on the other hand you need it :)

    If you want above all to restrict your applications only to the ports you want, you need a firewall with an application filtering, simply (Kerio alone enables you to do just that).

    If you absolutly want to keep CHX, then you can use the solution I have said. CHX restricts the OS to the allowed ports only 80 443 53 110 etc... and AppDefend tells which app has the right to connect out or not, which indirectly does what you want.

    Now, we cannot know better than yourself what you want, choose your solution, test it, and report here if you encounter any problem.

    Regards,
    gkweb.
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    The problem comes when he wants to allow a single app to access some ports but not others. For example, he wants to allow his email program access to 25 and 110, but not 80. Apparently AppDefend is just an on/off switch and can't control the app's by port. So the only way is to use a traditional rules based firewall like Kerio, Jetico, Filseclab, etc etc.
     
  15. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    You're right even I don't know exactly want I want.
    In my profesionnal life, I'm working with perimeters FW (FW-1, PIX, ...), so everyday I see rules based FW, exactly the way CHX works.
    That's why I would prefer using CHX instead of non app FW.

    On the other hand, I like to be as restrictive as possible, for my mailer soft for example.
    So I need app restriction.

    I will test a CHX with Antihook/Appdefend/whatever. You're numerous to using it, I'm sure it's a good solution too (event if my mailer is allowed to go to port 80 !).
     
  16. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    CHX-I is a non app fw o_O
     
  17. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Yes, just a typo in my last post ! Sorry.
     
  18. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    No problem, we all make tpyos :D

    Alphalutra1
     
Loading...
Thread Status:
Not open for further replies.