General ICS/Firewall question

Hello all.
When home, i'm connected to the net via anohter computer.
The server computer i have 2 NIC's, one is connected to the cable modem and have an "external" IP address, and the other is conencted to my computer and have a private IP address (192.168...).
In the client computer, i have a private IP address as well, and in order to make the whole thing work, i need to configure each private IP address as trusted in the relevant PC firewall (setting server private IP as trusted in the client firewall and the other way around).
Now, the thing that bothers me is, because all the internet traffic to the client PC is done via the server PC, and because the server PC is configured as trusted, does that mean that the client computer must rely on the server firewall for inbound protection?
If this is the case, is there any software-based solution to resolve this unfortunate situation?
Thanks in advance, Adam.

 

The only trusted zone should be the the local network, in the case of ICS this is 192.168.0.0/255.255.255.0.
The host acts as a gateway, (if packets are filtered by the host will depend on the firewall in use) so the client will need a firewall.
So no, the client does not rely on the host for protection from internet connections.

 

Thanks Stem.
Let me be a little more specific.
The server runs Kerio 4.2.3 and the client runs Jetico 1.0.1.61.
The share is done using "Sygate Home Network" (I believe it's some kind of NAT software).
What exactly should i put as trusted in both the server/client firewalls in order to make sure that the client firewall really does it's work?
Thanks again, Adam.

 

Hi Adam,

Yes, I have just set up using the "sygate Network", and it is a nat/dhcp server. So the answer is really the same as I gave you. But to confirm, with my setup as example,...My Lan IP was already in place (fixed) when I setup the "Sygate server", this had an IP of 192.168.1.200, so Sygate as taken this as my Lan network 192.168.1.0/255.255.255.0. The client PC is set for DHCP, and was issued with an IP by Sygate on this network. So the "Trusted zone" you ask for, will depend on the IP of the Lan IP (have you set this as a fixed IP?)
Also, If you have the client PC (the one with Jetico) on "Obtain an IP automatically" you will need to change (or add) 2 rules within Jetico, The two rules are for the (UDP) DHCP request/reply which you will find under Root / system IP table, you will need to change over (swap) the source and destination ports.

Regards
Stem

EDIT.
Be carefull with your firewall settings (internet) for the "Sygate Network" pgm, it makes a number of internet connection attempts. Up to now, the connection attempts have been to 216.167.96.118=sygate.com and 65.61.165.24=Rackspace.com (web hosting). I dont see any reason for these.

 

OK.
As for my setup - I do not use the Built-in DHCP server in SHN, I simply assign IP's manually - 192.168.0.1/255.255.255.0 for the server computer (the on e with Kerio) and 192.168.0.2/255.255.255.0 for the client (the one with Jetico), and set the server's IP as gateway and DNS server for the client.
Now, in order to make the thing work, in the server firewall I set the client IP as trusted (but not the entire network), as well as enabling gateway mode in Kerio preferences (I know it's a bit of security compromise, but that's the only way to make it work) and in the client's firewall...
Well, that's basically the story - what should I set in the Jetico firewall in order for me to still be protected by it?
Moreover, how do I do it? as far as I can tell, the only way to set trusted and blocked IP's in Jetico is using the configuration wizard.
The problem is, whenever I try to do it, I see that Jetico adds the entire network as trusted ("by default").
Hope you managed to keep up with me... Adam.

BTW, the whole sharing thing does work, all i'm intersted in, is the security-related side...

 

Hi Adam,
Jetico will pick up the entire network (192.168.0.0/255.255.255.0) as trusted, this is not a security problem, as the network is internal only.
Just set the rules within Jetico (for the client) as if you where connected directly to the internet.

 

Well, I guess I did OK after all...
Thanks for all the help, Stem.