Very good combonation . . .

Discussion in 'other firewalls' started by TECHWG, Nov 17, 2005.

Thread Status:
Not open for further replies.
  1. TECHWG

    TECHWG Guest

    Outpost firewall Pro, with all adapters set tp netbios and trusted, Disable all plugins and leave it on rules mode. Then run CHX-i and add the standard rules to make it secure like the tcp in except syn, all udp in,icmp 0 0 in, and add rules for the external nic blocking in and out 135,137,138,139,1025,445 and then add a rule that will not conflict that when enabled will allow all TCP in and out - EXCEPT for the rules that are specifically blocking ports . . Now let me explain this.

    What this does is keep you secure just as a NAT router with firewall would. You have to "forward" the ports kind of "i know its not the same but for the sake of argument and beginers its forwarding them". You now have outpost for outbound control PLUS if you like me use MSN and have trouble with forwearding the ports and still file transfers go Ludacrisly slow you enable the rule that allows all inbound , Then outpost will stealth all closed ports as normal, and CHX-i will deal with icmp and the closed ports. This way you are still invisible closed ports are stealth and open ports will work as normal.

    What do you think to this? I have been working on this method for 2 days and its about done i think , I forgot to say i allow all icmp on outpost too since CHX deals with that.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hi,
    I found a simpler way of making NAT.
    Just configure ICS on pair of computers. Even with firewall down, all ports closed...
    But it's a nice combo. However, what about port 5000, 443?
    Mrk
     
  3. TECHWG

    TECHWG Guest

    443 is not open on my system, and 5000 is used by yahoo at times . .

    I am not on about a nat, it i want nat i would run 602 pro lan suite. I am talking about the security that a nat router with firewall gives you , you get when you configure those programs as i described. that way if you need msn or anything else that wants to open ports and recieve, you "enable" the rule that lets all tcp ports through but, you have to make sure prioritys are right on all your rules to make sure that when you enable this rule to let all in that the other block rules are still in effect. So outpost will stealth all closed ports, and CHX will deal with the icmp and with other tweaks will stop SYN floods etc Plus block selected ports. and you have application control with outpost.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    SYN floods, at home?
    I use single software firewalls on every machine and never had problems with open / closed ports or anything.
    Nice concept though, what I don't understand why not Outpost is not enough to stealth everything.
    Mrk
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    I don't see any need for both to be honest. You're just double filtering with double SPI as well, which might not be good. Outpost by itself will already keep everything inbound in check, so why the need for CHX? Outpost handles ICMP properly. If you're worried about other things, then perhaps Harden-It is appropriate. But I see no need to run both Outpost and CHX. It's very redundant..
     
  6. TECHWG

    TECHWG Guest

    Redundant No . .

    with CHX-i i can tell it what i want and when, while outpost deals mostly with applications. I like the face that if something bad happens to my outpost chx-i will be there blocking all inbound ports except for ones i allow in. Outpost is a pain in the arse for that and i cant be doing with it. it is Not redundant. at all
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    It is very redundant..

    If you don't like Outpost and do like CHX, why not run CHX with something like ZA(P) which allows you to turn off the internet filtering and just use the app control? That might be a better solution.

    When you run CHX with Outpost, you are double filtering internet traffic and you've also got 2 SPIs going on. Very redundant. Also, Outpost allows you to create internet filtering rules as well as app rules, so you can indeed do what you want in Outpost alone..

    Just a few things to consider..
     
  8. TECHWG

    TECHWG Guest

    firstly, question. If i only use CHX for my internet protection (disregarding app control) and i load the rule to allow all incoming connections to any open port, how will that affect my security? because simply put i now "exist" online and my ports are not stealthed and i show ip as having open and closed ports ..? And yes i would like to do that and have my internet filtered only once but i want my closed ports to always show up stealthed at all times even when i load the rule . I need this rule so that i can function on msn with sending files and voice, since "forwarding" ports or allowing them inbound does not help. So basically put can CHX protect me even if i load this rule? and what abotu more complicated attacks and things like what sygate etc have updates for? will they get detected? please i would like youe input since if you can reassure me that chx will work how i want i will happily ditch outpost for this functionality. But i load that rule if and when i need to, otherwise all my ports are unavailable apart from ones i allow "forward so to speak"
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    First let me ask, in CHX, did you go to the Interface Properties tab and turn on SPI for all protocols (TCP/UDP/ICMP)? This is necessary. You should be getting stealth even with the sample rule set if you have done this. There are also other rule sets for CHX, which others have posted. But the first thing is to check and make sure you've enabled SPI on that Interface Properties tab. Right click on Interface and select Properties, then check the SPI options..
     
  10. TECHWG

    TECHWG Guest

    Yes, but i get problems with my isp dhcp if i use spi on udp. and Yes i can get stealth when i set it up, But when i enable my rule that lets all tcp connections in i get closed port status and the stealth ones i manually blocked . . All i need to do is get CHX to allow (at will) with a rule the ability to allow all inbound tcp ports but the closed ones need to remain stealth at all times. I am ghaving a hard time making this happen. i may look into ZAp for program control and add process guard to protect it But i need stealth on all closed ports this is my only concern
     

    Attached Files:

  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Well, I am not really sure what is going on there.. You may need a force allow inbound for dhcp to work properly. I did.. Otherwise, all I ever used is the sample rule set, with a force allow or two for dhcp related stuff. Never had any stealth problems. I am not sure what more I can say on that one. Perhaps best look at the CHX online docs more, or maybe someone else here can help out.. I'd try and keep the rule set as simple as possible and not make it more complex than necessary though...

    Also, you might try here: http://fluxgfx.com/ssc/ in the CHX forum for more help. Stefan posts there regularly..
     
  12. TECHWG

    TECHWG Guest

    Ok the concept, Outpost makes all closed ports STEALTH yes? and any ports that are open are accessible at any time total inbound port access, but the closed ports remain stealthed. all i need to do is make sure that all my ports that are closed remain stealthed and allow all inbound connections to any open port that is open.
     
    Last edited by a moderator: Nov 17, 2005
  13. TECHWG

    TECHWG Guest

    and also what are these triggers? i do not understand what to use triggers for, they look like normal filter rules
     
  14. Arup

    Arup Guest

    Trigger is auto port forwarding like UPnP except much safer and unlike UPnP which is an XP only feature, works with 2K and 2003 as well.
     
  15. TECHWG

    TECHWG Guest

    Arup good good .

    can you please give me a small example of how i would use triggers? maybe i could have a trigger with a huge port range in it to that if msn opens a port it will spontaniously open it ??
     
  16. TECHWG

    TECHWG Guest

    well i disabled my services rule so that all ports would be stealth, then i made a filter allowing port 21 tcp in Forced, and still grc said stealth? how do you use filters i need some examples or more information on exactly how to use them and what their main uses are. Thanks guys. They should add this information in the manual really.
     
  17. TECHWG

    TECHWG Guest

    To the guy in the other post i made,I downloaded those rules and did all the packet inspection stuff and addedd the rule for my ftp. Then i did a grc, and it said open as i would expect, THEN i stopped the ftp server running and retested and it said closed . . . THis is my problem the closed i need it to read stealth when a port is closed. Maybe these triggers could help perhaps? i just need someone to explain their usage and how i can get a trigger to work.

    I really do think triggers could be my magic bullet
     
  18. Arup

    Arup Guest

    For running FTP server, you don't need a rule in CHX, just specify allow inbound FTP passive or active in CHX properties for the interface connected to the net, thats all. Keep using the rule which you downloaded, don't add anything else. You will be fully stealth, I was the one who posted the link on the other thread about the download.

    About trigger, you do exactly as you set port forwarding rules in a router, that is setting IP of the app as well as ports range for which inbound is required, it lies dormant till the specific app IP requests goes outbound and requests inbound access, actually its like a dynamic inbound access rule on the fly.
     
  19. TECHWG

    TECHWG Guest

    well i tried what you said about the ftp and it comes up stealth if i dont have a rule letting 21 tcp in, But the trigger screen looks like a normal rule screen. How can i make it work? if i can keep my self completely stealth apart from 21 as we know and let MSN open what ever it wants that would be very very cool.

    Please explain to me the simples of making a program say msn.exe allowed to open any port it wants for incoming..
    Thanks very much
     
  20. Arup

    Arup Guest

    If your port was stealth using my recommendations, you don't have to do anything further and you won't need an inbound rule for FTP port 21, now for MSN inbound, you have two choices, you have to see the IP ranges MSN uses for connecting out and the inbound ports it need to connect, there is a list at MSN site as well as on Google, then just add those to the new filter you create specifying the port ranges or as individual ports, after that fire up MSN and then do a GRC scan.
     
  21. TECHWG

    TECHWG Guest

    inbound ports is the problem. you can not accomodate for this since they change every time this s why i wanted to make the msn program able to open any port and have it show open . . .

    I want to know how to use triggers. Nobody is telling me "how" to use them. . . they look like a normal rule screen. i need to either get all open ports accessible in real time withought allowing them while keeping all closed ports closed ?!?! and the easiest way would be using this trigger as you say to let say "msn.exe" have open ports from 1024-65535. that way msn can open any thing it wants and other programs will not work since they dont have a rule for them.

    Can you please "explain the way to use" triggers.
     
  22. Stefan_R

    Stefan_R Registered Member

    Joined:
    Dec 12, 2004
    Posts:
    47
    Triggers are "dormant" filters activated by payload events.

    For instance, if you create a trigger Force Allow incoming dstport = 123, you can then define a payload filter that scans outgoing data for byte stream = xyz and pass the remote IP as an argument to the defined trigger, as well as an optional timeout value. This is an example of permissive trigger. Alternatively - you can define prohibitive triggers - deny from the variable IP if something is detected in the payload.

    For dhcp traffic you must add a force allow UDP srcport=67,68 dstport=67,68 dstIP = 255.255.255.255/255.255.255.255.

    Regards,

    Stefan
     
Thread Status:
Not open for further replies.