Re: [Shorewall-users] Chrome remote connection

Fri, 27 Mar 2020 23:42:09 -0700

W dniu 2020.03.28 o 00:55, José Sarabia pisze:
Hi guys, I have the following questions:

Do you know by any chance which ports do I need to enable in order to allow remote access using the chrome remote access feature?

I know it works when I enable the following policy in /etc/shorewall/policy
image.png

Hello Jose,

Allowing all traffic from local area network to internet is not a good approach in my opinion.
Better one is:      loc   net   REJECT  in /etc/shorewall/policy
and then ACCEPT in /etc/shorewall/rules traffic you allow. I recommend using your own macro so that you don't have to type in the entire protocol and port syntax in rules file. All you have to do is add the path to your /etc/shorewal/shorewall.conf where your macros will be located. I have them in /etc/shorewall/macros, so my line in shorewall.conf is the following:
CONFIG_PATH=":${CONFDIR}/shorewall:${CONFDIR}/shorewall/macros:${SHAREDIR}/shorewall"
and copy some of the available macros from /usr/share/shorewall to your custom marcos location and edit them to suite your needs.

For example I have the one called macro.UncommonHTTP used exactly for uncommon http and https traffic:

#
# Shorewall -- /etc/shorewall/macros/macro.UncommonHTTP
#
# This macro handles HTTP, HTTPS traffic on uncommon ports.
#
###############################################################################
#ACTION    SOURCE    DEST    PROTO    DPORT    SPORT    ORIGDEST    RATE    USER

PARAM    -    -    tcp    81-82
PARAM    -    -    tcp    8081

And I have alse the line below in the /etc/shorewall/rules among the others

UncommonHTTP(ACCEPT)     loc       net

And now is the trick. From your Windows using Sysinternals tcpview utility you have to figure out which ports is using your Google Chrome remote desktop and simply add them to
above macro and restart shorewall firewall.  You don't need to analyze the shorewall log, but you can if you wish so.

This approach is unfortunately more labor-intensive than allowing all outgoing traffic, but it is safer in my opinion.

Best regards,
Witek
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to