dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1192
share rss forum feed

slajoh01

join:2005-04-23

How to use CHX-1 Firewall?

I have a ADSL PPPP type connection and from the CHX-1 firewall Management Console, I enabled both TCP-Stateful Packet Filtering and the UDP too...

Then I went to GRC's website and the ports show that they are all CLOSED rather than STEALTH.

How can I mamage the CHX Firewall to have all of my ports to be STEALTH?

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
you didn't say which version of chx-i that you are using.. i use chx-i build 2.8.2 and i don't know how to make it so that your computer will test as being stealthed..

incidentally, i have seen where firewall-tests would report that the computer was stealthed, but there was something wrong with the tests in those cases..

if you could block all TCP-inbound connections, then i think that you could pass as being "stealthed", but CHX-I build 2.8.2 will not allow for blocking all TCP-inbound connections because, at the same time, that blocks tcp-packets that come IN on your TCP-outbound connections..

i don't know how to create any rules in CHX-I that will allow me to block all TCP-inbound connections without, at the same time, killing my ability to connect OUT-TCP.. however, i did block some individual ports, trying to make things as tight as i could, but without causing too much of a hassle, where i would constantly have to be enabling and disabling rules..

maybe it is possible to block all tcp-inbound connections without killing the ability to connect out-TCP, but i don't know how to do it..

Alphalutra1

join:2005-10-06
127.0.0.1

ICMP Rules

Network Interface rules
 

ARP Rules

TCP and UDP Rules

DHCP Rules
Here are some pictures for the rules I use, and the settings for the LAN card.

redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to slajoh01
i tried blocking TCP-inbound "SYN" packets and now i am showing as being "stealthed" (with my regular software-firewall not running), and i am still able to surf the internet and download files with the TCP-inbound "SYN" packets blocked..

slajoh01

join:2005-04-23
Where I can download this?? I forgot the websites address and I did a Google search too

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 edit
reply to slajoh01
chx-i is meant to be used as a "packet filter".. it is not a "firewall", or a substitute for a firewall..

here is the link for the website:

»www.idrci.net/

the program is free for personal use, though you might not notice that in "the fine print"..

i can't really tell you how to begin setting it up.. i just used "trial-n-error" in setting it up, which wasn't too hard to do..

i start with a rule for "LAC", for DNS, UDP-inbound, and a rule for WAN, TCP-outbound..

you can't access the "WAN" settings unless you are logged onto the internet..

like i said, i am using build 2.8.2 instead of the new 3.x build, which i haven't tried using..

so, i just used trial-n-error in setting up CHX-I.. after creating some rules, then i looked at the log to see what was blocked, and then created additional rules in order to accomodate the things that were being blocked, so that they wouldn't continue being blocked..

alpha's way of doing things might work just as well, while being simpler..

Alphalutra1

join:2005-10-06
127.0.0.1
TCP SPI is absolutely awesome for the firewall. Most people think that they should block TCP incoming in order to become stealth. however, even outbound tcp requires incoming tcp because it is kind of like a handshake. However, denying any tcp incoming with syn flags makes it so that only you start the handshake, not anyone else.

The awesome SPI makes rulesets incredibly simple, why being even more secure. I only use the rules listed above, then add force allow rules for games and p2p, then I have IMO the best packet filter out there(not to mention probably the fastest for windows)

Cheers,

Alphalutra1

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to slajoh01
yes, alpha.. after looking at your rules, it dawned on me that, even though you allow tcp-inbound connections, you still have "stateful packet inspection" so that no unsolicited tcp-inbound connections are allowed.. and i also saw that you had "SYN" packets blocked, which gave me the idea to try that..

slajoh01

join:2005-04-23
The prblem is I dont have what Alphalutra1's screenshots has. I am using build 2.8.1.

I dont see the PROPERTIES, CONDITIONS and SHEDULE. I see or have only the second screenshot from his screenshots but I cannot seem to pull the rest of the screenshots.

For example, I cannot even set the SYN settings like he has. Am I using the wrong build perhaps?

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to slajoh01
slajoh, alpha is using chx-i build 3.. if you want to use that instead of using build 2.8.x, then you can install the newer build..

i stuck with the "old" build 2.8.2, so what i have is like what you have.. you will see the settings for "SYN" packets, as well as for other TCP-packets, when you are creating or adjusting the settings for a "TCP"-rule.. for example, if you have a rule allowing "TCP-outbound", if you look at the "properties" (settings) for the TCP-rule, at the bottom of the window you will see the option for what types of TCP-packets the rule applies to, like "ack", "fin", "syn", etc.. by default, the rules are set for "any" tcp-packets..

i didn't try using chx-i build 3 because it looked too complicated, too complex, for someone like myself who is not an "expert".. i guess that you don't have to use "complicated, complex" settings with it, but i figured i would just stick with build 2.8.2, seeing that it didn't have any options for those types of settings.. not to mention that i wasn't sure that there were not any "bugs" with the new program..

Alphalutra1

join:2005-10-06
127.0.0.1
slajoh, you have to create new rules to see screens like those I have. Right click in the white space under your network card where it will say "There are no items to show in this view" in the management console and select the option to create a new filter, then model your filters after mine (ignore the ARP rule since chx-i 2.8 doesn't have the capability to filter it). Just remember that you may need to research more about firewalls and learn about TCP/IP before trying to work with this firewall, but it is actually easier IMO than other rule based firewalls since the SPI makes rule sets so un-complicated.

I have been using build 3 since it was in beta, and it has been rock solid since those stages. I only use the basic packet filtering portion of it, but you can also have incredibly cool rules that can filter internet traffic, only go during certain times of the day, and only work when certain traffic is occuring. Incredibly powerful packet filter with these new options, but I really don't understand them very well, but who cares . Another nice addition to the v3 is that arp and other ip protocols can be filtered besides tcp/ip, and the fact that I think the driver is lower in the network stack in the newer version, thus offers better protection.

Cheers,

Alphalutra1

slajoh01

join:2005-04-23

1 edit
OK, I had installed the version 3.0 but where can I get the license key for it?

And I still have problems getting those screenshots up. What do I have to click?

Alphalutra1

join:2005-10-06
127.0.0.1
I really hate to be blunt with you, but if you are incable of creating a rule for a firewall, then you really shouldn't look into chx-i. All of my screenshots except for the first one are rules that I CREATED, by right clicking, then selecting new filter. I then typed in all of the data provided in my pictures (one picture = one rule).

In response to the license key, there is a link to register on their website somewhere, then fill out the details and they will e-mail one to you.

Alphalutra1

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to slajoh01
at the website, it says that the programs are free for "personal use".. i assume that that is true and that you don't need a license if you are a typical home-user..

slajoh, don't get hung-up on the screenshots..just go ahead and create some rules (if you want to) and THEN you will see the "windows", the "screenshots", for where you set the "properties" for the rules..

slajoh01

join:2005-04-23
I followed all the rules filters from the screenshots and I couldn't logon to my ADSL PPP type connection...All it said was DIALING 123...and the connection timed out. But when I cleared out those rules, everything worked. What did I do wrong?

Alphalutra1

join:2005-10-06
127.0.0.1
What's in your log? (look under logs, packet filter logs, then tell us what you see. Make sure you have the DHCP rule enabled)

Alphalutra1