HI all I am trying to setup the SC VNC which i want to use for when i need to support my customers.
I am having problems placing these firewall rules so that it will allow the traffic. Here are my rules ############################ # # Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="vr0" #set to outside interface name onwr="10.1.1.0/8" #set to outside network range oip="10.1.1.4" #set to outside ip address iif="re0" #set to internal interface name inwr="192.168.1.0/24" #set to internal network range iip="192.168.1.1" #set to internal ip address ntp="202.72.191.202" ns1="203.10.1.17" #set to primary name server best if = oif # # End of required user input if you only intend to allow ssh connections to # this box from the outside. If other services are required, edit line 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif # $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif # $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif $fwcmd add deny all from 210.22.175.130 to any in via $oif # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # Checks packets against dynamic rule set below. $fwcmd add check-state # # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established #ALL VNC $fwcmd add fwd 192.168.1.30,5900 tcp from any to any dst-port 5900 # Allow packets in via the VPN interface $fwcmd add allow ip from any to any in recv ng0 # Allow the rest of the VPN data through $fwcmd add allow gre from any to any # # Allow incoming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow log tcp from any to $oip 22 setup # $fwcmd add allow log tcp from any to $oip 80 setup $fwcmd add allow tcp from any to $oip 25,53 setup $fwcmd add allow tcp from any to #oip 21 setup $fwcmd add allow tcp from any to $oip 110 setup $fwcmd add allow log tcp from any to $oip dst-port 5900 setup # $fwcmd add allow log tcp from any to any dst-port 5900 setup $fwcmd add allow log tcp from any to any $iop setup $fwcmd add allow log tcp from any to $iop setup $fwcmd add allow log tcp from any to any dst-port 1723 setup # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any to $ns1 53 # # Allow time update traffic $fwcmd add allow udp from $ntp 123 to $oip 123 # # Allow UDP from local extrernal network so I can tracert from local servers $fwcmd add allow udp from any 53 to any $fwcmd add allow udp from any to any 53 # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0 $fwcmd add allow icmp from any to any icmptypes 3 $fwcmd add allow icmp from any to any icmptypes 4 $fwcmd add allow icmp from any to any icmptypes 8 $fwcmd add allow icmp from any to any icmptypes 11 # # Rules to allow VNC access through the FW (is this needed here? ) $fwcmd add allow tcp from any to any dst-port 5900 in via vr0 $fwcmd add allow tcp from any to any dst-port 5900 out via re0 # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. The lines in bold are the lines i have entered. 192.168.1.30 is the machine in my internal network running the VNC viewer in listen mode listening on port 5900. as you can see when a ipfw sh is done 00100 3 144 allow ip from any to any via lo0 00200 0 0 deny log logamount 100 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 100 ip from 192.168.1.0/24 to any in via vr0 00400 0 0 deny log logamount 100 ip from not 192.168.1.0/24 to any in via re0 00500 0 0 deny log logamount 100 ip from 192.168.0.0/16 to any in via vr0 00600 0 0 deny log logamount 100 ip from 172.16.0.0/12 to any in via vr0 00700 0 0 deny log logamount 100 ip from any to 192.168.0.0/16 in via vr0 00800 0 0 deny log logamount 100 ip from any to 172.16.0.0/12 in via vr0 00900 0 0 deny ip from 0.0.0.0/8 to any in via vr0 01000 0 0 deny ip from 169.254.0.0/16 to any in via vr0 01100 0 0 deny ip from 192.0.2.0/24 to any in via vr0 01200 0 0 deny ip from 224.0.0.0/4 to any in via vr0 01300 0 0 deny ip from 240.0.0.0/4 to any in via vr0 01400 0 0 deny ip from any to 0.0.0.0/8 in via vr0 01500 0 0 deny ip from any to 169.254.0.0/16 in via vr0 01600 0 0 deny ip from any to 192.0.2.0/24 in via vr0 01700 0 0 deny ip from any to 224.0.0.0/4 in via vr0 01800 0 0 deny ip from any to 240.0.0.0/4 in via vr0 01900 0 0 deny ip from 210.22.175.130 to any in via vr0 02000 288 28799 divert 8668 ip from any to any via vr0 02100 0 0 check-state 02200 185 18064 allow tcp from any to any established 02300 3 144 fwd 192.168.1.30,5900 tcp from any to any dst-port 5900 02400 0 0 allow ip from any to any in recv ng0 02500 288 32928 allow gre from any to any 02600 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 22 setup 02700 0 0 allow tcp from any to 10.1.1.4 dst-port 25,53 setup 02800 0 0 allow tcp from any to 10.1.1.4 dst-port 110 setup 02900 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 5900 setup ( packets aren't getting here) 03000 6 384 allow log logamount 100 tcp from any to any setup 03100 0 0 allow log logamount 100 tcp from any to any dst-port 1723 setup 03200 0 0 allow udp from any to 203.10.1.17 dst-port 53 03300 0 0 allow udp from 202.72.191.202 123 to 10.1.1.4 dst-port 123 03400 12 1178 allow udp from any 53 to any 03500 12 780 allow udp from any to any dst-port 53 03600 0 0 allow icmp from any to any icmptypes 0 03700 0 0 allow icmp from any to any icmptypes 3 03800 0 0 allow icmp from any to any icmptypes 4 03900 0 0 allow icmp from any to any icmptypes 8 04000 0 0 allow icmp from any to any icmptypes 11 04100 0 0 allow tcp from any to any dst-port 5900 in via vr0 04200 0 0 allow tcp from any to any dst-port 5900 out via re0 04300 0 0 allow ip from 10.1.1.4 to any out via vr0 keep-state 04400 0 0 allow ip from 192.168.1.0/24 to any via re0 keep-state 65435 3 1457 deny log logamount 100 ip from any to any 65535 1586 192759 allow ip from any to any any ideas? Glen _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
