NOTE: The filters offered for download from this site are to be used as examples only and must be customized if implemented. For recent updates and the latest filters available from this site, also see CHX-I Upgrades and Notices. NOTICE: BIND-PE has undergone a significant name change, and is currently called TreeWalk DNS.
The CHX-I Packet Filter filters inbound packets defined by rules that you control. CHX-I is used to completely stealth this computer system with the filter set that can be found on the "CHX-I Packet Filter Management Console" page of this site. They are the BIND-PE and ICS filters
(BIND_PE_Filters.zip - 1,136 bytes compressed). Details of this setup, which uses BIND-PE (now TreeWalk DNS), CHX-I, Kerio Personal Firewall, Windows 2000 and ICS, begin on the "An Introduction to BIND-PE (now TreeWalk) and Internet Connection Sharing" page. To unpack these Filter Sets, you will need a compression utility (see the links on the Freeware page of this site).
No matter how your system resolves its DNS, CHX-I will work on any Windows NT platform of Windows 2000 or above, but if you want the most out of surfing whether you use ICS or not, you should also use BIND-PE (now TreeWalk). KPF 2.1.5 (download.kerio.com)
and CHX-I (www.idrci.net) are also freely available for home use. Register with CHX-I for immediate notification of updates.
The following describes a configuration which employs a dedicated Gateway computer that is providing ICS to the LAN. You can run Internet Connection Sharing with a maximum of 10 computers using Windows 2000 Professional on the firewall/ gateway (or HOST) machine.
As mentioned, the particular HOST machine in this example runs Windows 2000 Professional SP4, ICS, CHX-I Packet Filter with this downloadable filter set, Kerio Personal Firewall (v.2.1.5) for additional outbound controls, and some preferred monitoring and diagnostic tools, all with default installations. BIND-PE (now TreeWalk), for this configuration, is set up on each computer in the LAN except the HOST computer. It will retrieve name resolutions directly from the ISP's DNS servers, while the others will use the full benefits of BIND-PE (now TreeWalk). It is simple to direct the HOST's DNS lookups to one of the LAN machines, and although this is preferable in most circumstances, it is not done in this particular scenario because the dedicated ICS computer is an older, slower machine and was not used for surfing or other tasks. A Pentium 133 megahertz processor and 64 megabytes of Random Access Memory are the absolute minimal system requirements for this machine, with enough Hard Drive Disk storage space to load some basic diagnostic and security tools. At least a 6 Giga Byte HDD should be considered, to allow room for logging purposes.
The router in use here is more commonly a simple hub or switch, and many ICS systems are comprised of only two computers which share a high speed DSL or cable modem connection. In that case, the hub or switch is unnecessary and the machines can be networked with a single Category 5 cable between the adapters used for the LAN-side communications. With ICS, it is easy to share files and printers between the units, although this setup requires a bit more
diligence towards system security.
Disadvantage: The ICS machine must be on for any of the computers to share a connection through it. This computer also requires a second Ethernet Adapter to provide the necessary two interfaces; one for the ICS and one for the LAN. The HOST/ gateway/ ICS machine then becomes a much larger NAT router than a typical broadband system, which is shown next.
Really, the only thing that is subject to change in the ICS setup described on this site is the filter set for the CHX-I software and the distribution of Treewalk throughout the network. As does the Treewalk and ICS Filter Set used in the Introduction to Treewalk and ICS "How To" pages, this filter set (Filters.sfd in 2.6Filters.zip - 976 bytes compressed) allows complete LAN functionality and shared Internet access while rendering all computers as "stealth" - invisible to other machines on the 'Net.
Disadvantage: The broadband router must be on for any of the computers to share a connection through it.
Similarities: Both concepts use NAT routing and both require the routing device to be powered on.
Newer versions of the CHX-I Packet Filter may require minor re-investigation and tweaking, but the concepts will be the same. In an era laden with Internet Worms, you can still run a secure ICS network if you are willing to learn a few extra security basics, and as you are running Windows 2000 Professional, you are probably already headed in that direction. If not, you should be.
NOTE: If you are already a CHX-I user, make sure you export your existing filter set to a safe location (if you haven't already backed them up) by opening the CHX-I GUI (Graphical User Interface) to display your filters.
One way to export them is to select all by holding your left mouse button down below the last filter on the list and dragging your cursor up towards the left and over the field to highlight them. Choose "Export in a new File" from the right-click context menu. Importing a new Static Descriptor File (.sdf) is done by selecting the "Import" option instead. If you have any questions, the Help file will tell you what you need to know.
Previous scanner results are detailed on the Port Scanner Results page.
The rules used in this example, Filters.sfd (in 2.6Filters.zip), are listed like this:
|
More complete details regarding these individual rules can be accessed on this site in a mini-web that was contributed by 'Stef', of the DevTeam from IDRCI (the home of CHX-I), in the "BIND-PE/CHX-I Packet Filter Configuration" pages. Only the ICS Global Interface (the HOST ICS NIC) uses this set, with the following settings applied to it, as shown here on "Settings for the ICS Global Interface".
Settings for the ICS Global Interface are next:
Also note that you may need to use further filtering rules for other NICs. This system is stealthed and there are no outbound servers present or required at the time of testing. If you are running servers and need help for your particular setup, drop a line to the fantastic CHX-I DevTeam for expedient, professional help.
October, 2003 UPDATE: "CHX-I v.2.6 Interface Properties Sheet".
The CHX-I Management Console also includes the Active Network Processes component:
As you will see, you can do a lot with this excellent program in conjunction with other tools and basic system utilities.
