Problems sharing internet connection

Hey,
I’ve searched the existing topics covering similar problems already, but unfortunately could not fix it yet.

Setup is as follows:

  • PC with Windows XP SP2
  • MacPro with OSX
  • Wireless router (internet connection)
  • router (LAN)

The Windows PC connects to the internet through the wireless router, and is connected to the LAN through the wired router. The internet connection is shared with the LAN.
The Mac connects to the LAN through the wired router, and should connect to the internet through the shared connection of the Windows PC.
If Comodo Firewall is NOT running, everything works as intented.

As soon as the Firewall is running on the Windows PC, the Mac can no longer connect to the internet.
Using the stealth port wizard, I have defined the LAN (192.168.0.1 - 192.168.0.255) as a trusted network zone.
Pings still work in both directions (PC <> Mac), but the Mac isn’t able to connect to the internet.

I guess I’m missing something pretty obvious, but I can’t seem to fix it. Any help is greatly appreciated.

Thank you very much,
Markus

Welcome to the forums, Mrak!

If your PC is running as a Windows ICS host, the firewall rules are somewhat more involved than the ports wizards can handle. The CFP rules have to both protect the host, and protect the LAN. There is a writeup on the Comodo wiki. Compare that outline for Global Rules to what you have set up on your PC.

Thank you, grue155!
The Wiki page seems to be exactly the explanation I’ve been looking for.

Gonna try that out tomorrow and tell you how it worked.

OK, I’ve applied all the rules as listed on the Wiki page.
Firewall security level is “Custom Policy Mode”, Defense+ Level is “Clean PC Mode”.

Unfortunately, the Mac still can’t connect while the firewall is running :confused:

Sorry to keep bothering you, but I have to admit I don’t understand enough about what I’m doing here to find a solution on my own.

Got it working now, but I don’t know if it’s not somewhat risky:

I had to change rule [5] Allow TCPorUDP Out From Zone[MyLAN] to IP Any
from OUT to IN/OUT.

I’m not sure about the possible consequences of this change.
Do you think this might turn out to be a problem?

There are two ways we can go with trying to figure out what’s going on with the Mac. We can work from your PC, using tools there, or work from the Mac using tools there. I’ll outline what I have in mind, and you make the call as to which is viable.

On the PC side, I would install a network monitor like Wireshark (www.wireshark.org), and do a packet capture with the firewall off (so the Mac can see and respond to proper traffic), and with the firewall on (so as to see what is missing).

On the Mac side, you’ll need admin privledge on a command line for these three commands: ipconfig, netstat, and tcpdump. These will be doing the same thing as the Wireshark stuff does on the PC. One note: I haven’t worked with a Mac machine, but since Mac OS X is based on BSD, and I’m a BSD admin on the dayjob, the tools and techniques I’m familiar with should translate easily.

On the Mac, first do a ‘ipconfig -a’ and a ‘netstat -nr’. The output from those two commands will give me the details on what kind of parameters would be needed for the tcpdump command.

Interesting. There is a potential risk there. Evidently the Mac is referencing something outside your LAN in order for it to work. I have no idea what that might be, but having this as an In/Out rule does weaken the protection on your network as a whole.

The packet capture would tell what it is that is needed. PC side or Mac side is your choice.

PC side it is, then :slight_smile:
I’m installing Wireshark right now and will do some packet captures.