vnc masqueraded - openSUSE Security - openSUSE Mailing Lists

newer
RE: [suse-security] I have been...

vnc masqueraded

older
AW: [suse-security] firewall

Jens Woch

16 Jan 2002 16 Jan '02

08:07

Hi folks, there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration. Task: Enable remote control of the internal computers via VNC. The following already works: (1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern The problem is (5) extern -> intern (currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty) I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway? Please enlighten me. Thanks in advance, Jens -- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------

Reply

Sign in to reply online Use email software

Show replies by date

Mark Robinson

16 Jan 16 Jan

11:35

New subject: [suse-security] vnc masqueraded

Hello Jens, Wednesday, 16 January 2002, you wrote: JW> Hi folks, JW> there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse JW> 73, Susefirewall2), standard-configuration. JW> Task: Enable remote control of the internal computers via VNC. JW> The following already works: JW> (1) intern <-> intern JW> (2) intern <-> firewall JW> (3) extern <-> firewall (4) intern ->> extern JW> The problem is (5) extern -> intern JW> (currently i do a remote control of the firewall, which does a remote JW> control of an internal computer, but that's pretty shitty) JW> I do not know the right questions. Is it a firewall-, routing-, or JW> masquerading-thingie? How do I address internal computers anyway? In the earlier version of SuSEfirewall it was section 14 of /etc/rc.config.d/firewall.rc.config You needed to set up the FW_FORWARD_MASQ_TCP variable. The only problem seems to be that you'll have 1 publicly visible IP addess/vnc port combination, which won't allow you to connect to multiple internal vnc servers. However, if you can make vnc listen on a different port (5902, 5903) on each internal machine it might just work... You should then be able to connect to real_ip:2 real_ip:3 etc... I'd be interested to hear how you get on... Mark

Reply

Sign in to reply online Use email software

Gryphon Tech Security

15:38

New subject: [suse-security] vnc masqueraded

OK, I've read through everyone else's suggestions and have found that the best (and easiest) way is probably how I do it. From what I have found is depending on the size of your network, you can't open a hundred ports to access all of these machines. Best thing to do is install VNC Server on your linux box and pick a port. VNC into your linux box then VNC into the machines behind the firewall. 1 port opens up for all of your computers on the lan. As long as your network is not slow, you will have NO problem with it. Brian At 01:07 AM 1/16/2002, Jens Woch wrote:

Hi folks,

there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration.

Task: Enable remote control of the internal computers via VNC.

The following already works:

(1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern

The problem is (5) extern -> intern

(currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty)

I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway?

Please enlighten me. Thanks in advance, Jens

-- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Reply

Sign in to reply online Use email software

Mark Tinka

20:30

New subject: [suse-security] vnc masqueraded

u will have to do what is know as port forwarding.. just to give you a head start, modprobe your ip_masq_portfw module, if u are running the 2.2 kernel.. then install the ipmasqadm rpm.... man this rpm, and u should be on your way... good luck.. AKNIT --- Jens Woch wrote: > Hi folks,

there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration.

Task: Enable remote control of the internal computers via VNC.

The following already works:

(1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern

The problem is (5) extern -> intern

(currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty)

I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway?

Please enlighten me. Thanks in advance, Jens

--

---------------------------------------------------------------

Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601

---------------------------------------------------------------

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com

Reply

Sign in to reply online Use email software

Jens Woch

17 Jan 17 Jan

07:53

New subject: [suse-security] vnc masqueraded

Hi, thanks a lot for your suggestions! The path to success was given by Michael Appeldorn and Mark Robinson: To firewall2.rc.config, simply add FW_FORWARD_MASQ="0/0,192.168.0.<n>,tcp,590<n> 0/0,192.168.0.<n>,udp,590<n>" and give the vnc-server of 192.168.0.<n> the display number <n> for each local ip ending in <n> for which you want to have vnc access from outside. To remote control ip 192.168.0.3, e.g., issue "vncserver :3" et viola! To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though. Thanks again, Jens -- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------

Reply

Sign in to reply online Use email software

Michael Appeldorn

09:35

New subject: [suse-security] vnc masqueraded

The path to success was given by Michael Appeldorn and Mark Robinson: To firewall2.rc.config, simply add

FW_FORWARD_MASQ="0/0,192.168.0.<n>,tcp,590<n> 0/0,192.168.0.<n>,udp,590<n>"

and give the vnc-server of 192.168.0.<n> the display number <n> for each local ip ending in <n> for which you want to have vnc access from outside.

To remote control ip 192.168.0.3, e.g., issue "vncserver :3" et viola!

To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.

You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly. Would suggest following simple way to make it more secure, also if you have a static ip you can bind. Find the position of the rules in /sbin/SuSEfirewall2 and modify this rules in order to check the MAC-Adresse of your remote machine. If you've further question how to, mail me. Michael Appeldorn.

Reply

Sign in to reply online Use email software

Markus Gaugusch

09:38

New subject: [suse-security] vnc masqueraded

I have not followed the whole thread, but I do it this way: ssh to the firewall with portforwarding enabled ssh firewall -L 5901:clientpc1:5900 and in another window vncviewer :1 (with windows you can use teraterm or putty and enable ssh forwarding in the same manner, and connect to localhost:1 with vncviewer). You should enable compression of ssh (with -C parameter), which makes vnc more responsive and faster! And - most important - everything is secure. VNC is INSECURE without encryption around it! Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \

Reply

Sign in to reply online Use email software

Michael Appeldorn

13:48

New subject: [suse-security] vnc masqueraded

...
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.

You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.

Would suggest following simple way to make it more secure, also if you have a static ip you can bind.

Find the position of the rules in /sbin/SuSEfirewall2 and modify this rules in order to check the MAC-Adresse of your remote machine.

If you've further question how to, mail me.

OOOOHHH - think MAC check wont work outside the ethernet - my failure. Made, cause somewhere on customs net there was a DNS outside,but before router that was connect via ethernet and checkable that way - and so my little brain forgot that not all the same - shame. Michael Appeldorn

Reply

Sign in to reply online Use email software

Jens Woch

14:03

New subject: [suse-security] vnc masqueraded

Michael Appeldorn wrote

...
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.

You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.

But sniffing could happen even if I replace 0/0 with something (much) more specific, couldn't it? The ssh-suggestion by Markus Gaugusch would prevent it, I guess (have to play with it yet). Yours, Jens -- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------

Reply

Sign in to reply online Use email software

Michael Appeldorn

14:42

New subject: [suse-security] vnc masqueraded

Yep, ssh-solutions rules. Anything else is then a foul compromise. Walk this way. He won. Michael Appeldorn

...
...
To get rid of those "0/0" null-restriction from outer space, I'm afraid, there's no way than that suggestion of Mark Ruth, though.

You have a nerve [0/0]. Is pretty insecure. Guess would be easy to sniff the vnc password and every guy with some ambitions will move the mouse only you should move remotly.

But sniffing could happen even if I replace 0/0 with something (much) more specific, couldn't it? The ssh-suggestion by Markus Gaugusch would prevent it, I guess (have to play with it yet).

Reply

Sign in to reply online Use email software

8144

Age (days ago)

8145

Last active (days ago)

Download

9 comments

6 participants

tags

participants (6)

Gryphon Tech Security
Jens Woch
Mark Robinson
Mark Tinka
Markus Gaugusch
Michael Appeldorn