Mailinglist Archive: opensuse (2912 mails)

< Previous Next >
Re: [SLE] Port forwarding in SuSEfirewall2
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Mon, 21 Feb 2005 18:05:11 -0600
  • Message-id: <421A7737.4090608@xxxxxxxxxxxxx>
LinuxInfo wrote:

I have a SuSE 9.2 as firewall with SuSE Firewall2. Im trying to redirect java_tight vnc (port 5801 on the firewall) to a tight vnc server behind my firewall (port 5801 for http server) and port 5901 on the vnc server.

Why are you trying to redirect 5801 to 5901? ....

It is the vnc httpd server that redirects my session after logon. From port 5801 (web) to 5901 (vnc).

Based on what I read at RealVNC's website, I do not believe this :-) , but so what? If it's working locally, that's all that counts .

Works fine localy. Just dont know how to treat the incomming request in SuSE firewall. I redirect port 5801 to the internal machine. Get a login. Then vnc redirects the sessios... now i need to redirect port 5901 from the outside to inside... and get susefw to understand that this is the same session:)

I checked the script, and it looks like SuSEfirewall2 uses the states NEW, RELATED, ESTABLISHED for just about everything. This is certainly true in the MASQ section, so I believe you should only need to add another rule for port 5901, identical to the one for port 5801. This is what you said didn't work for you, but are you sure you put both rules into the same line, and separated them by a space?

FW_FORWARD_MASQ=",internal_ip,tcp,5801:5802,5801:5802,external_ip \,internal_ip,tcp,5901:5902,5901:5902,external_ip"

I put that as 2 lines with a continuation, so line-wrapping would not obscure where the space should be; in your firewall config file (and in YaST where you enter it), it should be just one line, without the backslash of course -- maybe the system would accept the continuation, but I am not sure, so best not to try it.

Also, from my limited understanding of how VNC works, I think you could make that just one rule, using a port range 5801:5999. That would allow 99 simultaneous VNC sessions on the same vcn server -- but configuring your server for that is up to you :-)

The alternative, if that does not work, is to start carving some custom rules <shudder> which I think would require a very detailed understanding of how the script works -- that is not something I can claim.

I still think the value in /proc/sys/net/ipv4/tcp_fin_timeout on the firewall might be a problem for you.

PS, please reply only to the list; my mail filters will just put the cc copy to me into the same folder as the copy sent to the list.

< Previous Next >
This Thread