What CHX-I rules to make

Discussion in 'other firewalls' started by mrpringle, Mar 10, 2006.

Thread Status:
Not open for further replies.
  1. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    Hi,
    I have installed CHX-I and I am uncertain what rules are necessary for my system. I have a dialup connection with a dynamic ip, my internal network uses 192.168.0.0/24.

    The only way to secure yourself on the internet is to only allow the LAN traffic and block everything else, but obviously this defeats the purpose of an internet connection.

    This is just an assumption, but when using CHX-I do you have to configure it for every program which uses the internet, this would really be time consuimg and frustrating.

    So can anyone tell me where I can find a basic set of rules for CHX-I which I can modify for my system?

    Thanks
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Have you tried any of the sample filter sets available on their site? You might want to start with the "Internet Workstation" which is explained in the help file.

    Regards,

    CrazyM
     
  3. Arup

    Arup Guest

    Dial up,import sample ruleset named Workstation for your WAN PPP,under WAN PPP properties,enable SPI for TCP/UDP/ICMP, go to www.grc.com and do a scan and see if you pass the test,if everything is green and you can access the net,you are safe and sound.
     
  4. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    thanks for that, sounds good.

    Will I need to set up access for edonkey and bittorrent, or isn't it blocked by the sample rules.
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    You have to set up the rules for them...

    If you need some help... ;)
     
  6. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    Ok,
    I think I've done something wrong.
    I loaded the workstation.sfd file into the Packet Filters (Global)
    Then I turned on stateful inspection for TCP, UDP and ICMP under the Dialup or VPN / Public tree.

    When I opened edonkey it connected fine and bittorrent was still working, I haven't tested it yet, but I didn't think edonkey and bittorrent would work without configuration to allow them to use the connection.

    Also can someone tell me if the packet filter list is like the cisco router access lists, where the order of ip addresses is important.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    You will probably need a Force Allow inbound for the p2p ports involved in order to get your speeds up to par. I don't do p2p (or use CHX) anymore so I can't help too much, but one of the other guys probably can.
     
  8. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Your bittorrent and emule applications might seem like they are working, but they are probably not able to accept incomming connections. Use "force allow" with a local port specified for UDP. For TCP "force allow" works, but "allow" is better.
     
  9. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    mrpringle,

    See the examples rules that I use for the P2P... ;)

    P2P.sfd

    Hope that they are useful to you...
     
  10. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    before I worry about configuring p2p software, I ran a scan at grc.com and it said, "Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!"

    I don't understand what is wrong, I loaded the workstation configuration into CHX-I and I turned on stateful inspection.

    How can I fix this?

    Thanks for everyone's help so far.
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is that not just part of the greeting or opening comments on the scan page?

    What was the actual scan result?

    Regards,

    CrazyM
     
  12. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
  13. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    Yes, lol, I feel like a bit of an idiot.

    All the tests came back fine. Does this mean I don't really need an additional firewall program installed on there like kerio, or outpost, ..........
     
  14. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    At this moment you only have inbound protection...

    I only use CHX and I'm delighted with it! :D

    The examples rules helped?
     
  15. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    I am happy with it to. I ran tests with sygate and outpost pro installed and with both of those firewalls the tests at grc showed I had ports left open.
    Then I used the sample rules for CHX-I and ran the same tests at grc and all my ports were stealthed completely.
     
  16. Arup

    Arup Guest

    All you need to do is to monitor for any unsolicited outbound connections and TCP View from www.sysinternals.com is a fine freeware to monitor connections,additionaly you can also use Hosts file to keep pests out. CHX will do best for inbound.
     
  17. mrpringle

    mrpringle Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    14
    thanks for everyone's contribution.
     
  18. khazars

    khazars Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    124
    Location:
    Glasgow, Scotland
Loading...
Thread Status:
Not open for further replies.