From: Neil <new...@ma...> - 2004-05-31 11:53:50
|
I have installed CoLinux 0.6.1 and got everything working, but I can't get it to go through my Kerio firewall. I am using a TAP driver and ICS. When CoLinux first starts up Kerio asks if this is a trusted network and I say yes. I can then ping from CoLinux to the internet. If I try browsing it sometimes works for a while but then stops. If I disable the firewall it works again. What is the rule I need to set to enable CoLinux to go through the firewall. Thanks Neil |
From: Shang-Feng Y. <st...@ch...> - 2004-05-31 18:00:38
|
Neil wrote: >I have installed CoLinux 0.6.1 and got everything working, but I can't get >it to go through my Kerio firewall. I am using a TAP driver and ICS. When >CoLinux first starts up Kerio asks if this is a trusted network and I say >yes. I can then ping from CoLinux to the internet. If I try browsing it >sometimes works for a while but then stops. If I disable the firewall it >works again. >What is the rule I need to set to enable CoLinux to go through the firewall. >Thanks >Neil > > What version of Kerio PFW do you use? I am using Kerio v2.1.5, and my coLinux v0.6.1 with Fedora Core 1 root image is capable to access internet smoothly with TAP driver via Windows XP ICS. The rules specialized for coLinux internet accessing are: 1. permit ICMP [3] & [8] incoming traffic from the intranet address coLinux used. 2. permit all TCP/UDP incoming traffic from coLinux. 3. enable the special forwarding mode -- Internet Gateway -- of Kerio. 4. permit all outgoing TCP traffic of the application "c:\windows\system32\alg.exe" (Application Layer Gateway Service). The ICMP rule must be prior to the rule "Other ICMP" that Kerio pre-configured to take effect. The rules I used may be slack in security, but it work for me. :> May these info be helpful! :> S.F. Yang PS. I'm very sorry for the previous reply which "To:" field was carelessly filled to col...@li.... I hope that would not cause trouble to list administrator. |
From: Neil <new...@ma...> - 2004-06-02 05:44:42
|
"Shang-Feng Yang" <st...@ch...> wrote in message news:40B...@ch...... > Neil wrote: > > >I have installed CoLinux 0.6.1 and got everything working, but I can't get > >it to go through my Kerio firewall. I am using a TAP driver and ICS. When > >CoLinux first starts up Kerio asks if this is a trusted network and I say > >yes. I can then ping from CoLinux to the internet. If I try browsing it > >sometimes works for a while but then stops. If I disable the firewall it > >works again. > >What is the rule I need to set to enable CoLinux to go through the firewall. > >Thanks > >Neil > > > > > > What version of Kerio PFW do you use? I am using Kerio v2.1.5, and my > coLinux v0.6.1 with Fedora Core 1 root image > is capable to access internet smoothly with TAP driver via Windows XP > ICS. The rules specialized for coLinux internet accessing are: > 1. permit ICMP [3] & [8] incoming traffic from the > intranet address coLinux used. > 2. permit all TCP/UDP incoming traffic from coLinux. > 3. enable the special forwarding mode -- Internet Gateway -- > of Kerio. > 4. permit all outgoing TCP traffic of the application > "c:\windows\system32\alg.exe" (Application Layer > Gateway Service). > The ICMP rule must be prior to the rule "Other ICMP" that Kerio > pre-configured to take effect. The rules I used may be slack in > security, but it work for me. :> > > May these info be helpful! :> > > > S.F. Yang > I'm using 4.0.16 which is quite a long way from the version you're using. I'm afraid I'm no closer to getting it to work. |
From: Shang-Feng Y. <st...@ch...> - 2004-06-02 06:53:09
|
Neil wrote: >"Shang-Feng Yang" <st...@ch...> >wrote in message news:40B...@ch...... > > >>What version of Kerio PFW do you use? I am using Kerio v2.1.5, and my >>coLinux v0.6.1 with Fedora Core 1 root image >>is capable to access internet smoothly with TAP driver via Windows XP >>ICS. The rules specialized for coLinux internet accessing are: >> 1. permit ICMP [3] & [8] incoming traffic from the >> intranet address coLinux used. >> 2. permit all TCP/UDP incoming traffic from coLinux. >> 3. enable the special forwarding mode -- Internet Gateway -- >> of Kerio. >> 4. permit all outgoing TCP traffic of the application >> "c:\windows\system32\alg.exe" (Application Layer >> Gateway Service). >>The ICMP rule must be prior to the rule "Other ICMP" that Kerio >>pre-configured to take effect. The rules I used may be slack in >>security, but it work for me. :> >> >>May these info be helpful! :> >> >> >>S.F. Yang >> >> >> > >I'm using 4.0.16 which is quite a long way from the version you're using. >I'm afraid I'm no closer to getting it to work. > > Well, the concept of setting rules is similar. I'm sticking to version 2.1.5 of kerio PFW for the reason that kerio 2.1.5 is free for home or non-commercial user, while 4.x is not. Besides, v4.x adds new functions which could be unnecessary for a firewall and be substituted with other applications. :P The point is that the TCP/UDP and ICMP traffics from coLinux must be permitted for incoming. The Windows Application Layer Gateway Service could also be required for packet forwarding. The only thing I'm not sure is that the "Internet Gateway" mode is whether configurable in kerio 4.x or not. Maybe you could find some clue in the kerio's help. :> Regards, S.F. Yang |
From: Martin K. <ka...@po...> - 2004-06-02 18:10:46
|
>>I'm using 4.0.16 which is quite a long way from the version you're using. >>I'm afraid I'm no closer to getting it to work. >> >> > Well, the concept of setting rules is similar. I'm sticking to version 2.1.5 > of kerio PFW for the reason that kerio 2.1.5 is free for home or non-commercial > user, while 4.x is not. Besides, v4.x adds new functions which could be > unnecessary for a firewall and be substituted with other applications. :P Kerio PFW in version 4.x is still for free for home or non-commercial user. but not in full version. i don't know exactly which functions are disabled. if you're lucky with 2.1.5 it's better choice. i had some buffer overflows which caused me to deinstall it. but 4.x ain't so stable as the 2.x was. so the zone alarm was back :-( i had troubles with zone alarm using colinux, so i'm just working with my hardware router and brain - it's all ok till now :-) have a nice os, Martin |
From: Neil <new...@ma...> - 2004-06-03 05:40:40
|
"Shang-Feng Yang" <st...@ch...> wrote in message news:40B...@ch...... > Neil wrote: > > >"Shang-Feng Yang" <st...@ch...> > >wrote in message news:40B...@ch...... > > > > > >>What version of Kerio PFW do you use? I am using Kerio v2.1.5, and my > >>coLinux v0.6.1 with Fedora Core 1 root image > >>is capable to access internet smoothly with TAP driver via Windows XP > >>ICS. The rules specialized for coLinux internet accessing are: > >> 1. permit ICMP [3] & [8] incoming traffic from the > >> intranet address coLinux used. > >> 2. permit all TCP/UDP incoming traffic from coLinux. > >> 3. enable the special forwarding mode -- Internet Gateway -- > >> of Kerio. > >> 4. permit all outgoing TCP traffic of the application > >> "c:\windows\system32\alg.exe" (Application Layer > >> Gateway Service). > >>The ICMP rule must be prior to the rule "Other ICMP" that Kerio > >>pre-configured to take effect. The rules I used may be slack in > >>security, but it work for me. :> > >> > >>May these info be helpful! :> > >> > >> > >>S.F. Yang > >> > >> > >> > > > >I'm using 4.0.16 which is quite a long way from the version you're using. > >I'm afraid I'm no closer to getting it to work. > > > > > Well, the concept of setting rules is similar. I'm sticking to version 2.1.5 > of kerio PFW for the reason that kerio 2.1.5 is free for home or non-commercial > user, while 4.x is not. Besides, v4.x adds new functions which could be > unnecessary for a firewall and be substituted with other applications. :P > > The point is that the TCP/UDP and ICMP traffics from coLinux must be permitted > for incoming. The Windows Application Layer Gateway Service could also be required > for packet forwarding. The only thing I'm not sure is that the "Internet Gateway" > mode is whether configurable in kerio 4.x or not. Maybe you could find some clue > in the kerio's help. :> > > > Regards, > S.F. Yang > I've got it working now. What I've done is just created a packet filter rule to allow TCP for everything. That's probably rather slack, but at least it works. It works without UDP/ICMP. What are they for? If it's for the nameserver, that's running on the host machine so that's probably why I don't need it. Thanks Neil |