Hi folks, there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration. Task: Enable remote control of the internal computers via VNC. The following already works: (1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern The problem is (5) extern -> intern (currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty) I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway? Please enlighten me. Thanks in advance, Jens -- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------
Hello Jens, Wednesday, 16 January 2002, you wrote: JW> Hi folks, JW> there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse JW> 73, Susefirewall2), standard-configuration. JW> Task: Enable remote control of the internal computers via VNC. JW> The following already works: JW> (1) intern <-> intern JW> (2) intern <-> firewall JW> (3) extern <-> firewall (4) intern ->> extern JW> The problem is (5) extern -> intern JW> (currently i do a remote control of the firewall, which does a remote JW> control of an internal computer, but that's pretty shitty) JW> I do not know the right questions. Is it a firewall-, routing-, or JW> masquerading-thingie? How do I address internal computers anyway? In the earlier version of SuSEfirewall it was section 14 of /etc/rc.config.d/firewall.rc.config You needed to set up the FW_FORWARD_MASQ_TCP variable. The only problem seems to be that you'll have 1 publicly visible IP addess/vnc port combination, which won't allow you to connect to multiple internal vnc servers. However, if you can make vnc listen on a different port (5902, 5903) on each internal machine it might just work... You should then be able to connect to real_ip:2 real_ip:3 etc... I'd be interested to hear how you get on... Mark
OK, I've read through everyone else's suggestions and have found that the best (and easiest) way is probably how I do it. From what I have found is depending on the size of your network, you can't open a hundred ports to access all of these machines. Best thing to do is install VNC Server on your linux box and pick a port. VNC into your linux box then VNC into the machines behind the firewall. 1 port opens up for all of your computers on the lan. As long as your network is not slow, you will have NO problem with it. Brian At 01:07 AM 1/16/2002, Jens Woch wrote:
Hi folks,
there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration.
Task: Enable remote control of the internal computers via VNC.
The following already works:
(1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern
The problem is (5) extern -> intern
(currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty)
I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway?
Please enlighten me. Thanks in advance, Jens
-- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
u will have to do what is know as port forwarding..
just to give you a head start, modprobe your
ip_masq_portfw module, if u are running the 2.2
kernel.. then install the ipmasqadm rpm.... man this
rpm, and u should be on your way...
good luck.. AKNIT
--- Jens Woch
there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration.
Task: Enable remote control of the internal computers via VNC.
The following already works:
(1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern
The problem is (5) extern -> intern
(currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty)
I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway?
Please enlighten me. Thanks in advance, Jens
--
---------------------------------------------------------------
Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601
---------------------------------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
Hi,
thanks a lot for your suggestions!
The path to success was given by Michael Appeldorn and Mark Robinson:
To firewall2.rc.config, simply add
FW_FORWARD_MASQ="0/0,192.168.0.<n>,tcp,590<n>
0/0,192.168.0.<n>,udp,590<n>"
and give the vnc-server of 192.168.0.<n> the display number <n> for each
local ip ending in <n> for which you want to have vnc access from outside.
To remote control ip 192.168.0.3, e.g., issue "vncserver
The path to success was given by Michael Appeldorn and Mark Robinson: To firewall2.rc.config, simply add
FW_FORWARD_MASQ="0/0,192.168.0.<n>,tcp,590<n> 0/0,192.168.0.<n>,udp,590<n>"
and give the vnc-server of 192.168.0.<n> the display number <n> for each local ip ending in <n> for which you want to have vnc access from outside.
To remote control ip 192.168.0.3, e.g., issue "vncserver
:3" et viola! To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.
You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly. Would suggest following simple way to make it more secure, also if you have a static ip you can bind. Find the position of the rules in /sbin/SuSEfirewall2 and modify this rules in order to check the MAC-Adresse of your remote machine. If you've further question how to, mail me. Michael Appeldorn.
I have not followed the whole thread, but I do it this way: ssh to the firewall with portforwarding enabled ssh firewall -L 5901:clientpc1:5900 and in another window vncviewer :1 (with windows you can use teraterm or putty and enable ssh forwarding in the same manner, and connect to localhost:1 with vncviewer). You should enable compression of ssh (with -C parameter), which makes vnc more responsive and faster! And - most important - everything is secure. VNC is INSECURE without encryption around it! Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.
You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.
Would suggest following simple way to make it more secure, also if you have a static ip you can bind.
Find the position of the rules in /sbin/SuSEfirewall2 and modify this rules in order to check the MAC-Adresse of your remote machine.
If you've further question how to, mail me.
OOOOHHH - think MAC check wont work outside the ethernet - my failure. Made, cause somewhere on customs net there was a DNS outside,but before router that was connect via ethernet and checkable that way - and so my little brain forgot that not all the same - shame. Michael Appeldorn
Michael Appeldorn wrote
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.
You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.
But sniffing could happen even if I replace 0/0 with something (much) more specific, couldn't it? The ssh-suggestion by Markus Gaugusch would prevent it, I guess (have to play with it yet). Yours, Jens -- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------
Yep, ssh-solutions rules. Anything else is then a foul compromise. Walk this way. He won. Michael Appeldorn
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.
You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.
But sniffing could happen even if I replace 0/0 with something (much) more specific, couldn't it? The ssh-suggestion by Markus Gaugusch would prevent it, I guess (have to play with it yet).
participants (6)
-
Gryphon Tech Security
-
Jens Woch
-
Mark Robinson
-
Mark Tinka
-
Markus Gaugusch
-
Michael Appeldorn