Will modifying certain Windows TCP/IP settings affect CHX-I?

Discussion in 'other firewalls' started by delerious, Feb 27, 2007.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    I'm running CHX-I on my Windows 2000 system. Some of the things that it lets you configure are fairly low-level, like limiting the number of half-open connections from a single host, and activating SYN flood protection if the number of half-open connections reaches a certain value.

    Right now I'm looking at the Windows 2000 Hardening Guide (downloadable from Microsoft), and it recommends that you apply the security templates that come with it. I notice that these templates change certain registry settings, including many under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Some of these registry settings have to do with SYN attack protection and half-open connections, which are some of the things that CHX-I lets you configure.

    So I'm wondering if I were to apply the security templates (which would change those TCP/IP registry settings), would that affect the operation of CHX-I at all? Does anyone know if CHX-I is dependent on those registry settings, or if CHX-I does not use them at all?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi delerious,
    CHX does not make changes to the windows tcpip parameters for the settings you mention. When you make change within CHX for the limit of connections etc, these setting are made in the registry(for chx3) @hkey_local_machine\software\third brigade\chxmpf\version 1.0\interfaces\* and are used internally by CHX.

    So I do not see CHX being dependent on the tcpip entries.
     
  3. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Thank you for the reply, Stem. I have one more question hopefully you or someone else can answer.

    If both the Windows TCP/IP and CHX are configured to protect against SYN attacks, what will happen? Who will intercept incoming packets first? Will CHX handle everything, and Windows TCP/IP will be totally out of the picture? Or will they both be involved somehow?
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi delerious,

    Interesting question, I have never checked.

    If you get no answer, I will set up on W2K later to check.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    delirious; It would depend on the configurations on both things, if set proper you can have CHX-I intercept firstly, and adjusting it to be equal or almost may result in best of both worlds.

    Hardening the TCP/IP stack to SYN attacks is also available under Windows XP, even though there has some changes already.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi delerious,
    Although your question as not been answered, Phant0m`s suggestion is probably the easiest/best to do. That would be to set, as example, the half-open connections limit in the OS to, say 105, and set the limit for this in CHX to 100 (or similar difference, depending on the limit you want). This then would not matter as to which was intercepting first,.. but as mentioned, you would have the backup if one was to fail.

    I did set up to try and check this, but was not given alert from CHX on the half open connection limit reached,..... or my setup was incorrect. I will try another setup when I have more time.
     
  7. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Thanks for the replies Phant0m and Stem. I'm starting to get a little confused by this low-level networking stuff.

    Will the TCP/IP stack always be involved? Does it always get the incoming packets and then hand them to CHX? Or could CHX be "in front of" the stack, which means that CHX would get all the incoming packets and the stack would never get anything and never do anything?

    Stem: are you trying CHX 3.0 or 2.8? I heard there's a difference in driver implementation between the two versions (2.8 uses a filter hook driver and 3.0 uses a NDIS intermediate driver) so that might affect the behavior. I am running 3.0.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    delerious,
    I am using CHX3.

    Thinking about it, CHX3 will be in front of the TCP/IP stack, or the limits/filters imposed within the settings would be of no use, as setting low limits on, say, half open connections within CHX could make the TCP/IP overflow waiting to pass packets.
     
  9. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Stem: you are right. I have discovered that NDIS intermediate drivers work at a lower level than the TCP/IP stack, so CHX will intercept incoming packets first.
     
Loading...
Thread Status:
Not open for further replies.