Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] vnc masqueraded
>Hi folks,
>
>there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse
>73, Susefirewall2), standard-configuration.
>
>Task: Enable remote control of the internal computers via VNC.
>
>The following already works:
>
>(1) intern <-> intern
>(2) intern <-> firewall
>(3) extern <-> firewall
>(4) intern -> extern
>
>The problem is (5) extern -> intern
>
>(currently i do a remote control of the firewall, which does a remote
>control of an internal computer, but that's pretty shitty)
>
>I do not know the right questions. Is it a firewall-, routing-, or
>masquerading-thingie? How do I address internal computers anyway?
>

You can do some port forwarding, e.g.

$EXT_IP:$PORT1 -> $INT_IP01:5900

for each machine behind your wall.

check there4 in /etc/rc.config.d/firewall2.rc.config

# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"

Yours

Michael Appeldorn

:O):_





< Previous Next >