What does CHX-I do and where can i download it?

hey,

Ive been looking for a packet filter to go along my firewall, and while looking through threrads at Wilders i came across 'CHX-I. Some of what i have read is very interesting and i would really like to download this program and test it.

I do have a couple of question though;

>Does it work with most firewalls?

>Is it easy to configure?

Thank you for all the replys i receive

Tom

 

Here's their site - http://www.idrci.net/ ... I can't answer any of your questions because I haven't ever used it. It's free for presonal use, but it looks like you need to register it.

 

Cheers Dog!!-man

 

if u use CHX-I + a firewall for applicaiton control, there is a good chance you will need to disable some componenets of the firewall for everything to run smoothly.

 

for LnS its pretty easy, just disable internet filtering.

 

Tom - CHX-I works fine with every other firewall I have used it with, and there have been many, trust me. Never had one conflict of any kind whatsoever. If you have internet filtering enabled on both firewalls, then the other firewall will usually get the incoming traffic first, with CHX-I catching anything the first firewall allows thru. Most of the time this will just be misc packets that the first firewall allows, but CHX blocks due to slightly stricter SPI in CHX. So this means you will see most of the blocked activity in the other firewall's logs, with a few misc packets in the CHX logs.

Best thing is to install CHX and then run another firewall just for the app control, with internet filtering disabled if possible. You can disable it in ZA and LnS, so those 2 would work well with CHX. You can also use Jammer (from Agnitum/Outpost people), which would just give you basic app control, however Jammer is no longer supported and you'd have to find a cracked copy of it to use it past the 30 day trial period (and of course I would not recommend that ). I think they have it on their site mostly in hopes that people will try it and then buy Outpost.

You can (if you want) also run any other firewall with CHX and have both of them filtering internet traffic, however, this is slightly wasteful and would basically be double filtering all your port 80 browsing traffic and so on. Not as efficient, but still possible without problems nevertheless.

Is CHX easy to set up? It's fairly simple if you spend a little time and read thru the Online Docs to get a quick overview of how it works. First time I tried it, I just downloaded the sample rule set and then modified it for a few dhcp oddities I had here. Make sure to turn on SPI for all protocols in the Properties menu of the Interface Filters. Just read the docs and that will help a lot.

 

Your current firewall does not do packet filtering?

Any particular reason you feel you need more than one software firewall?

The way rules work/are applied in CHX-I takes a little different approach than some other rule based firewalls so reading the help file and understanding this is important.

Regards,

CrazyM

 

I am behind a router, but some times packets seem to slip through and get caught by my software firewall, so i was looking for a packet filter to stop this from happening. Not sure why this happens, as a result i dont totally trust the router - seems to be a result of a firmware upgrade.

I have looked at the instruction and help files, at first it does look at to get my head around, but i think i could probably figure it out.

http://www.idrci.net

I also noticed they do a CHX-I NAT filter, has anyone used this or should i just stick to the regular one?

Thank you all,

Tom

 

Tom, if you already have another software firewall running and it catches what your router let's thru, then I don't think you really need anything else there.. CHX-I is great, but it would just be duplicating what your other software firewall is already doing. No need for 2 programs.

 

[QUOT]I am behind a router, but some times packets seem to slip through and get caught by my software firewall, so i was looking for a packet filter to stop this from happening. Not sure why this happens, as a result i dont totally trust the router - seems to be a result of a firmware upgrade.[/QUOTE]

No software firewall will catch inbound traffic from behind a ROUTER. Unless, you are set up from behind a DMZ... If you don't trust your router (or need a better one!) Set your private ip up to a DMZ. Then have a good SPI packet filter or an adequate software firewall that does simulated spi like Outpost....

 

Do you have any samples from your logs as to what is showing up at the software firewall? Unsolicited inbound packets should not be making it past the router.

By all means check it out if you want to replace your current software firewall. I just don't recommend running more than one.

With a router in place which is doing NAT there would be no need to run this on a system behind it.

Regards,

CrazyM

 

It does happen when i update programs but i think that kinda normal. It also happens when i browse some sites and the pages take along time to load, which results in my software firewall catching or stopping the dropped packets.

These are some unsolicated packets stopped by my firewall>(removed my Ip and last part of the incoming Ip)

2005/08/06 20:08:51 67.15.82.*:80 ****:3071 Port 3071 (TCP)
2005/08/06 20:07:46 67.15.82.*:80 ****:3071 Port 3071 (TCP)
2005/08/06 20:07:02 66.201.*.145:80 ****:3146 Port 3146 (TCP)
2005/08/06 20:05:42 67.15.82.*:80 ****:3071 Port 3071 (TCP)
2005/08/06 19:51:59 204.11.*:80 ****:2518 Willy

 

Those would appear to be valid return traffic permitted by your router that your software firewall is denying (possibly because it considers them late/out of state). What suggests this in the logs is the source port 80 (HTTP - web browsing) and the destination port being within the normal ephemeral port range (1024-5000 - the local ports used by your OS when initiating outbound connections).

Without the full source IP's I could not say for certain, but you should be able to confirm by looking up the source IP's (Who Is or RDNS) and they will likely come back to a site you visited online. Or if you router and/or firewall logs outbound connections, you should see the outbound connections prior to those entries.

Short answer: Those are not unsolicited inbounds and nothing appears to be getting past your router

Regards,

CrazyM

 

Thank for your help CrazyM, i did a Whois at samspade.org and the web address that relate to the IPs i have never been to, good thing is though is my firewall is block these packets

Cheers for your help,

 

Keep in mind that when you visit web sites that the content on the page(s) could be coming from multiple servers, not just the one you used to get there. So when doing a WhoIs or RDNS they may not always come back to the actual site (URL) you are familiar with.

Example: connecting to something like yahoo.com and checking my router logs showed a total of 8 outbound HTTP connections. Two of the IP's came back to Yahoo, but the remainder were to other carriers and associated to Akamai servers providing content.

I still doubt if unsolicited inbound packets are getting past your router, but you would need complete logging ability to trouble shoot this and would depend on whether your router and/or software firewall provide this.

Regards,

CrazyM