ICS FAQ Confusion

Discussion in 'LnS English Forum' started by Q Section, Feb 8, 2008.

Thread Status:
Not open for further replies.
  1. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Greetings

    In the LnS FAQ Internet Connection Sharing (ICS) section it says:

    On the Client PC, import the rule ICMP:ICS Client from this file ics.rie.
    On the server PC, import the rule IP:ICS Server from this file ics.rie.

    For Windows XP SP2 import the ruleset SharingSP2.rie.


    So......Is it necessary to import all three of these rule sets or just the SharingSP2.rie ? Which rules go where? Using XPSP2 and LnS 2.06p2 on both computers here.

    Thank you.
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Normally under XP-SP2 you just need SharingSP2.rie file.
    ICMP rules were for previous versions of Windows.

    Under Vista, it should work directly without importing rules.

    So, if you are under XP-SP2, just use SharingSP2.rie first. If it doesn't work and you see some ICMP alerts in Look 'n' Stop log then import the other ICMP rules.

    Regards,

    Frederic
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As stated by Frederic, just use the 2 rules within the SharingSP2.rie, these just allow the high ports for the ICS nat (one for DNS and the other for web etc). I did set up and check, and all worked correctly.

    On the default EnhancedRulesSet, I placed the 2 rules just below the "TCP: Block incoming connections"

    If you are using the SPF rules (2.06p2) for DNS, then I would suggest adding (or editing the default rule) for use with ICS. (then remove the UDP sharing rule)
     
  4. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Can you explain this a little better please? Right now using the SPF ruleset the client computer is working fine and resolving DNS apparently (meaning there are no DNS errors).
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I was giving ref to the 2 rules placed on the Host (for ICS). One of the rules is for UDP~ DNS. I was just thinking you may be better to replace that rule with an SPF rule.
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, this is an alternative option for the DNS rule, since the SPF rule will automatically takes care of the local port value.

    More explanations:
    - when using ICS under XP-SP2, the local ports seen on the server are in the range 49152-65535, and the basic rules in standard rulesets are allowing 1024-5000 only, that(s why it blocks.
    - SharingSP2.rie just contains 2 rules to allow the right range (for TCP and UDP DNS)
    - SPF rules for DNS will allow automatically the right port

    Frederic
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Frederic,

    I did re-check,.. I see that the client on ICS does go through (for DNS) the SharingSP2.rie UDP rule regardless if the default UDP SPF rule is in place (I did at first think (sorry did not fully check) the default SPF rule contained the local ports used).

    I find that if I disable the SharingSP2.rie UDP rule, then DNS lookups cannot be made from the client, the requests fall through to the UDP blocking rule.

    I did look at this from DNS client enabled/disabled on Host, but still the same. Is this some problem with the SPF rules or routed packets or ?
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    There is actually a field to verify the local port is in the Local range (1024-5000 or 49152-65536 depending on the host windows version).

    So, yes, finally just using the standard SPF DNS rule won't solve the initial issue.
    To solve it, this check against the local port should be removed in the SPF rule. This is field #5 in the first rule (the one detecting the first packet).

    Frederic
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Frederic,

    I did look at this before posting on thread.

    2008-02-12_231120.jpg

    Please show how the user should correctly change this setting


    Regards,
     
    Last edited: Feb 13, 2008
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Stem,

    Just select NA for the criteria instead of PORT_LOCAL_IN, this will remove completely this field and the check against the local port.
    Then OK and Apply (and Save if it works).

    Frederic
     
Thread Status:
Not open for further replies.