From: Neil <new...@ma...> - 2004-06-03 05:40:40
|
"Shang-Feng Yang" <st...@ch...> wrote in message news:40B...@ch...... > Neil wrote: > > >"Shang-Feng Yang" <st...@ch...> > >wrote in message news:40B...@ch...... > > > > > >>What version of Kerio PFW do you use? I am using Kerio v2.1.5, and my > >>coLinux v0.6.1 with Fedora Core 1 root image > >>is capable to access internet smoothly with TAP driver via Windows XP > >>ICS. The rules specialized for coLinux internet accessing are: > >> 1. permit ICMP [3] & [8] incoming traffic from the > >> intranet address coLinux used. > >> 2. permit all TCP/UDP incoming traffic from coLinux. > >> 3. enable the special forwarding mode -- Internet Gateway -- > >> of Kerio. > >> 4. permit all outgoing TCP traffic of the application > >> "c:\windows\system32\alg.exe" (Application Layer > >> Gateway Service). > >>The ICMP rule must be prior to the rule "Other ICMP" that Kerio > >>pre-configured to take effect. The rules I used may be slack in > >>security, but it work for me. :> > >> > >>May these info be helpful! :> > >> > >> > >>S.F. Yang > >> > >> > >> > > > >I'm using 4.0.16 which is quite a long way from the version you're using. > >I'm afraid I'm no closer to getting it to work. > > > > > Well, the concept of setting rules is similar. I'm sticking to version 2.1.5 > of kerio PFW for the reason that kerio 2.1.5 is free for home or non-commercial > user, while 4.x is not. Besides, v4.x adds new functions which could be > unnecessary for a firewall and be substituted with other applications. :P > > The point is that the TCP/UDP and ICMP traffics from coLinux must be permitted > for incoming. The Windows Application Layer Gateway Service could also be required > for packet forwarding. The only thing I'm not sure is that the "Internet Gateway" > mode is whether configurable in kerio 4.x or not. Maybe you could find some clue > in the kerio's help. :> > > > Regards, > S.F. Yang > I've got it working now. What I've done is just created a packet filter rule to allow TCP for everything. That's probably rather slack, but at least it works. It works without UDP/ICMP. What are they for? If it's for the nameserver, that's running on the host machine so that's probably why I don't need it. Thanks Neil |