Sygate Question

I'm not running Outpost now, but that should be fine...

 

ok

Regards,

snowboard

 

To Snowboard:
"I need for someone to help me make a advanced rule for blocking icmp attacks."
Are we now talking about Outpost or Sygate?

 

Didnt you see my post that said..

I only need help if someone has a better way to setup the ICMP settings on Outpost, than the default settings it already has.

Regards,

snowboard

 

The Outpost forum has some nice tips/faqs and helpful people there also.. If you like Outpost, you might try checking it out:

http://www.outpostfirewall.com/forum/

 

Thanks ill look into this

Regards,

snowboard

 

You might also find this helpful:
http://www.outpostfirewall.com/guide/

Regards,

CrazyM

 

Thanks

Regards,

snowboard

 

snowboard hi

This may/may not be of any use to you, but this is how I set up rules using Kerio PFW4 regarding ICMP with no illeffects.

Cheers, TAS

 

Why do I need their sample rule set if I am just using CHX for a stricter SPI?
I am using it along side Sygate with no packet filter rules and with Interface Properties: Deny Incoming Fragments, Deny TCP Packets Containing CWR ECE Flags, and TCP, UDP, and ICMP SPI.

 

Hope Stefan clarifies this but for CHX, unless there are filters in place, the interface is not in effect, at least this is what I understand from the CHX help file.

 

To Arup:
Thanks for the info. Maybe Stephan will set us straight. (IMO, a CHX forum is badly needed.)
In the meantime I have downloaded the sample rule set and have imported the file. I've also changed the Interface Properties, just allowing SPI for TCP, UDP, and ICMP.

 

I just made 0,3,11 coming inbound and 3,8 going outbound like yours. Thanks

Regards,

snowboard

 

I did likewise with Sygate in the Advanced Rules, and no "ill effects".

 

dholiday,

What kind of activity do you see in your CHX logs? Also check out http://members.shaw.ca/bind-pe_and_ics/chxi.htm

Start with the basic 2.6 filters and then you can check out the newer TW ICS filters, there are certain things you can take out of them like the ICS and TW filters but otherwise, quite well written and also incorporates an effective Deny Trojan filter.

 

Dholiday - With no rules, CHX does nothing. It allows all traffic in/out by default when there are no rules in place. I would recommend a good reading of the online documentation. It's worth the time spent to understand how CHX works...

 

Yes I agree, but people are so hung up on outbound app control and firewall leaktests that I don't think that will happen. But if you post your questions here their are people like Kerodo, Jazzie, Arup and Diver who are knowledgeable and can help you out.

As a matter of fact, IIRC, Phantom said he may write some rules when he's got time in a previous thread. In the mean time go with Arups suggestion and use some of the filters already out there and experiment. That's what I did and I'm by no means an expert in figuring out filters and rules for firewalls.

Regards,

Jaws

 

I had the logs turned off but have enabled them.
I have seen the link you provided, but don't know of how much help it would be to me as I no longer use Treewalk, and I am not on a LAN/ICS.

 

Thanks for clariying the need for rules.
I've read the documentation twice. Maybe I should read it more slowly. I'm not sure on some options, for instance "Deny All Incoming Packets" and "Deny TCP Packets Containing CWR ECE Flags".

 

Perhaps the documentation is somewhat confusing and it needs some polishing.

TCP state options are applied on all traffic traversing the interface, regardless of the presence of static rules. So is the UDP&ICMP pseudo-state feature and IP frag analysis & CWR/ECE flags.

In the case of TCP state analysis sessions are always allowed to be created bi-directionally( by a SYN segment) and any subsequent segment that does not "belong" to a particular session is discarded.

In the case of UDP/ICMP pseudo-state the behavior is different since we must impose a "direction" with respect to each interface. Thus - only outgoing (on each interface) UDP/ICMP packets create "pseudo-sessions" and incoming packets are discarded if they do not have a match in their respective pseudo state tables.

Hope this clarifies things a little and apologies for the confusion the manual might have generated.

Best regards,

Stefan.

 

Docs confusing? Somewhat, yes. Using Kerio 2.15, where I learned how to write rules, "teaches". CHX-I demands much of a novice or even someone, like me, who has worked with Kerio for years.
But this reply is one of the clearest explanations you've provided, atleast for me. I thank you for the time you've spent replying to this question, and I'm sure other CHX-I users will second that.

 

Hi Stefan,

At the cost of being redundant, any dates for the new CHX 3?

 

I am apparently wrong then.. Thanks to Stefan for clarifying about the SPI and rules, and my apologies dholiday for my incorrect statements. I was under the impression that rules needed to be present for SPI to be functional.

 

To Arup:
After several hours with CHX-I and Sygate running in tandem CHX-I is logging these:
Incoming - UDP - Out of Connection
Outgoing - TCP - Ack Fin - Out of Connection
Incoming - TCP - Ack Syn - Invalid Flags

 

No problem Kerodo. We are both learning, so mistakes can be expected.