Hi all, how do I configure shorewall in such a way that I can connect via pcanywhere on a system in the local intranet via a shorewall firewall with a PC at my office. I know that I need to open UDP port 22 and 5632 and allow connections above 1023 how do I do that last part? I keep seeing every time I connect that a new port above 1023 is blocked. Walter (please reply to me via email, I have no access to the mailing list)
retlaW wrote:> Hi all, > > how do I configure shorewall in such a way that I can connect via > pcanywhere on a system in the local intranet via a shorewall firewall > with a PC at my office. > > I know that I need to open UDP port 22 and 5632 and allow connections > above 1023 how do I do that last part? > > I keep seeing every time I connect that a new port above 1023 is blocked. >DNAT net loc:<pcanywhere box> udp 1024: -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: retlaW > Sent: Tuesday, October 08, 2002 3:11 PM > > Hi all, > > how do I configure shorewall in such a way that I can connect via > pcanywhere on a system in the local intranet via a shorewall firewall > with a PC at my office. > > I know that I need to open UDP port 22 and 5632 and allow connections > above 1023 how do I do that last part? > > I keep seeing every time I connect that a new port above 1023 > is blocked.Although I prefer to setup a secure tunnel to my LAN first and then invoke PCAnywhere across the tunnel... PcAnywhere (at least 9.2) uses the following ports. This is straight from my rules file. Notice these rules are commented in favor of VPN rules which allow me full access to my LAN. # PcAnywhere ports. # DNAT net loc:192.168.9.2 udp 5632 # DNAT net loc:192.168.9.2 tcp 5631 Steve Cowles
Cowles, Steve wrote:> ports. > > This is straight from my rules file. Notice these rules are commented in > favor of VPN rules which allow me full access to my LAN. > > # PcAnywhere ports. > # DNAT net loc:192.168.9.2 udp 5632 > # DNAT net loc:192.168.9.2 tcp 5631 >Thanks Steve -- the Symantec Knowledge Base site was unavailable when I checked a while ago so I took the original poster''s word about the ports involved. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
FAQ number 6 says that logging is always done to the LOG_KERN facility. In my case (Debian), that means my /var/log/messages, /var/log/kern.log and /var/log/syslog all contain the shorewall logs. Being able to log to a LOCAL facility would be great ... is it possible to configure that somehow, in a future version perhaps? - Colin
Colin Viebrock wrote:> FAQ number 6 says that logging is always done to the LOG_KERN facility. > In my case (Debian), that means my /var/log/messages, /var/log/kern.log > and /var/log/syslog all contain the shorewall logs. > > Being able to log to a LOCAL facility would be great ... is it possible > to configure that somehow, in a future version perhaps? >This is a NetFilter restriction; if NetFilter allowed the facility to be altered, I would provide a way also. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
retlaW wrote:> Tom, > > you, (you probably know this already), are the best! > > It works perfectly..I should point out that the rule that I sent you opens a hole wide enough to drive a truck through so if the rules that Steve Cowles posted work for you, I highly recommend that you use them rather than what I posted. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Steve
I saw your post in the Shorewall-users mailing list archive and
was hoping if you could help me out.
>This is straight from my rules file. Notice these rules are commented in
>favor of VPN rules which allow me full access to my LAN.
>
># PcAnywhere ports.
># DNAT net loc:192.168.9.2 udp 5632
># DNAT net loc:192.168.9.2 tcp 5631
>
>Steve Cowles
The above would allow me to go to one machine behind my firewall, but we
are wanting to have pcanywhere on all of the machines behind our firewall
in the office so that we can get to them from home. Pcanywhere will allow
me to tell it what ports I want to go to. So is there a way that I can
tell it that port 5001 and 5002 would go to 192.168.1.1 ports 5632 and 5631
while someone going to the firewall at ports 5003 and 5004 would go to
192.168.1.2 ports 5632 and 5631? I am new to shorewall, firewalls and
routers, so any help that you could give me would be greatly appreciated.
Thanks
Steve
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
ow3
> -----Original Message----- > From: Steve Buehler [mailto:steve@vespro.com] > Sent: Wednesday, October 16, 2002 3:27 PM > To: Cowles, Steve; shorewall-users@shorewall.net > Subject: pcanywhere > > > Steve > I saw your post in the Shorewall-users mailing list > archive and was hoping if you could help me out. > > >This is straight from my rules file. Notice these rules are > >commented in favor of VPN rules which allow me full access > >to my LAN. > > > ># PcAnywhere ports. > ># DNAT net loc:192.168.9.2 udp 5632 > ># DNAT net loc:192.168.9.2 tcp 5631 > > > >Steve Cowles > > The above would allow me to go to one machine behind my > firewall, but we are wanting to have pcanywhere on all of > the machines behind our firewall in the office so that we > can get to them from home. Pcanywhere will allow me to tell > it what ports I want to go to. So is there a way that I can > tell it that port 5001 and 5002 would go to 192.168.1.1 ports > 5632 and 5631 while someone going to the firewall at ports > 5003 and 5004 would go to 192.168.1.2 ports 5632 and 5631? > I am new to shorewall, firewalls and routers, so any help > that you could give me would be greatly appreciated. > > Thanks > Steve >Personally, I have not tried configuring PCAnywhere to use different ports. But if it can be done, then change the above example to something like: # PCA host at 192.168.9.10 # DNAT net loc:192.168.9.10:5632 udp 5001 # DNAT net loc:192.168.9.10:5631 tcp 5002 # PCA host at 192.168.9.20 # DNAT net loc:192.168.9.10:5632 udp 5003 # DNAT net loc:192.168.9.10:5631 tcp 5004 BTW: Based on your requirements, you sould really consider implementing a VPN solution. Then you wouldn''t have these additional open ports to deal with. Steve Cowles
Of course, you meant # PCA host at 192.168.9.10 # DNAT net loc:192.168.9.10:5632 udp 5001 # DNAT net loc:192.168.9.10:5631 tcp 5002 # PCA host at 192.168.9.20 # DNAT net loc:192.168.9.20:5632 udp 5003 # DNAT net loc:192.168.9.20:5631 tcp 5004 ----- Original Message ----- From: "Cowles, Steve" <Steve@SteveCowles.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, October 16, 2002 4:59 PM Subject: [Shorewall-users] RE: pcanywhere> > -----Original Message----- > > From: Steve Buehler [mailto:steve@vespro.com] > > Sent: Wednesday, October 16, 2002 3:27 PM > > To: Cowles, Steve; shorewall-users@shorewall.net > > Subject: pcanywhere > > > > > > Steve > > I saw your post in the Shorewall-users mailing list > > archive and was hoping if you could help me out. > > > > >This is straight from my rules file. Notice these rules are > > >commented in favor of VPN rules which allow me full access > > >to my LAN. > > > > > ># PcAnywhere ports. > > ># DNAT net loc:192.168.9.2 udp 5632 > > ># DNAT net loc:192.168.9.2 tcp 5631 > > > > > >Steve Cowles > > > > The above would allow me to go to one machine behind my > > firewall, but we are wanting to have pcanywhere on all of > > the machines behind our firewall in the office so that we > > can get to them from home. Pcanywhere will allow me to tell > > it what ports I want to go to. So is there a way that I can > > tell it that port 5001 and 5002 would go to 192.168.1.1 ports > > 5632 and 5631 while someone going to the firewall at ports > > 5003 and 5004 would go to 192.168.1.2 ports 5632 and 5631? > > I am new to shorewall, firewalls and routers, so any help > > that you could give me would be greatly appreciated. > > > > Thanks > > Steve > > > > Personally, I have not tried configuring PCAnywhere to use differentports.> But if it can be done, then change the above example to something like: > > # PCA host at 192.168.9.10 > # DNAT net loc:192.168.9.10:5632 udp 5001 > # DNAT net loc:192.168.9.10:5631 tcp 5002 > > # PCA host at 192.168.9.20 > # DNAT net loc:192.168.9.10:5632 udp 5003 > # DNAT net loc:192.168.9.10:5631 tcp 5004 > > > BTW: Based on your requirements, you sould really consider implementing a > VPN solution. Then you wouldn''t have these additional open ports to deal > with. > > Steve Cowles > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
> -----Original Message----- > From: Ian Hunter > Sent: Wednesday, October 16, 2002 4:36 PM > Subject: Re: [Shorewall-users] RE: pcanywhere > > > Of course, you meant > > # PCA host at 192.168.9.10 > # DNAT net loc:192.168.9.10:5632 udp 5001 > # DNAT net loc:192.168.9.10:5631 tcp 5002 > > # PCA host at 192.168.9.20 > # DNAT net loc:192.168.9.20:5632 udp 5003 > # DNAT net loc:192.168.9.20:5631 tcp 5004 >Oops! Thanks for correcting my cut/paste laziness Steve Cowles
Ian Hunter wrote:> Of course, you meant > > # PCA host at 192.168.9.10 > # DNAT net loc:192.168.9.10:5632 udp 5001 > # DNAT net loc:192.168.9.10:5631 tcp 5002 > > # PCA host at 192.168.9.20 > # DNAT net loc:192.168.9.20:5632 udp 5003 > # DNAT net loc:192.168.9.20:5631 tcp 5004 >And of course, to actually use the rules they must be uncommented... # PCA host at 192.168.9.10 DNAT net loc:192.168.9.10:5632 udp 5001 DNAT net loc:192.168.9.10:5631 tcp 5002 # PCA host at 192.168.9.20 DNAT net loc:192.168.9.20:5632 udp 5003 DNAT net loc:192.168.9.20:5631 tcp 5004 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hello, TE> And of course, to actually use the rules they must be TE> uncommented... I''m wondering.. Isn''t using (for example) VNC over an (encrypted..) SSH tunnel safer than using PcAnywhere? Also less expensive then buying PcAnywhere for all clients.. I''m thinking about implementing it this way to do some customer support and indeed using it as a very simple vpn-alike solution. SSH isn''t perfect, but isn''t it more safe to do remote control over an encrypted tunnel.. All remarks about this are welcome ;) -- Best regards, Kristof mailto:kristof.hardy@catsanddogs.com
hmmmm. the freeswan site looks pretty interesting. I will have to take a closer look at it when I get the chance. BTW, while I have your attention. One of our computers at work (windows2000) has files on it that we share regularly. Would it be better to open up that machine behind the firewall/router completely, for specific IP''s that I might be coming from? Or open up the port (not sure which one) so that we can get to the file nomatter where we are, since we do still need it when we travel sometimes. What we have done at the moment is to map the network drive to our offsite and onsite computers. I would prefer to be able to leave them mapped. Is that possible when it is behind a different firewall? I plan on having a firewall at my house and at work. When I am on the road and need access to it, I won''t be behind a firewall, but the machine the drive that I am mapping will be. Also, when I am on the road, I will not have a static IP. Plus, the file needs to be in a place where everybody can read/update it without overwriting somebody elses updates. So they can''t just download it from a server, change it and upload it with ftp again because that could mess things up if somebody else is updating it at the same time. Thanks Steve At 08:54 PM 10/16/2002 -0500, you wrote:> > -----Original Message----- > > From: Steve Buehler > > Sent: Wednesday, October 16, 2002 4:32 PM > > To: Cowles, Steve > > Subject: Re: [Shorewall-users] RE: pcanywhere > > > > > > How would I go about setting up the VPN solution? Or where > > would be a good start to find out about a VPN solution? I > > am a real newbie when it comes to firewall/routers. I just > > set up my first one yesterday. > > > >Steve, > >As for a good starting point, I don''t really know. I had to learn the hard >way myself by just futzing around and reading/searching the internet until I >got my first VPN server installed. To be honest, I was more concerned about >internet security implications than implementing the actual server. > >If your using MS based clients that are running W2k/XP then setting up a >PPTP or IPSEC VPN server would probably be a good starting point. NT servers >support setting up a pptp based VPN server (out of the box) while W2K >servers supports both PPTP and IPSEC (out of the box). Although check the >status of the current exploit against these types of MS based VPN servers. >Damn Microsoft! > >Linux also has a PPTP/IPSEC based VPN servers that can be implemented that >is compatible with MS based clients. BTW: I have not seen any exploits >against linux based VPN server. > >A couple of linux related sites to look at: > >http://sourceforge.net/projects/poptop -- PPTP > >http://www.freeswan.org -- IPSEC > >good luck >Steve Cowles-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ow3
Steve Buehler wrote:> hmmmm. the freeswan site looks pretty interesting. I will have to take > a closer look at it when I get the chance. > > BTW, while I have your attention. One of our computers at work > (windows2000) has files on it that we share regularly. Would it be > better to open up that machine behind the firewall/router completely, > for specific IP''s that I might be coming from? Or open up the port (not > sure which one) so that we can get to the file nomatter where we are, > since we do still need it when we travel sometimes. > What we have done at the moment is to map the network drive to our > offsite and onsite computers. I would prefer to be able to leave them > mapped. Is that possible when it is behind a different firewall? I > plan on having a firewall at my house and at work. When I am on the > road and need access to it, I won''t be behind a firewall, but the > machine the drive that I am mapping will be. Also, when I am on the > road, I will not have a static IP. Plus, the file needs to be in a > place where everybody can read/update it without overwriting somebody > elses updates. So they can''t just download it from a server, change it > and upload it with ftp again because that could mess things up if > somebody else is updating it at the same time. >The above scenario is just one more reason why you should implement a VPN solution. I can''t in good conscience recommend any other approach. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
We use VNC exclusively with ssh to maintain remotely all of our workstations behind a firewall and it works perfectly . Just type from your host in one xterm. ssh -C -L 5901:<ip of vncserver>:5901 <ip of firewall> and from another xterm on your machine to view the remote screen, run vncviewer :1 If the client is running Linux you can use x0rfbserver http://www.hexonet.de/software/x0rfbserver/ to view desktop :0. Hope that helps. Pascal PS: The obvious advantage is that you don''t need to open any pinholes in your firewall to view a workstation desktop. On Thu, 2002-10-17 at 00:56, Kristof Hardy wrote:> Hello, > > TE> And of course, to actually use the rules they must be > TE> uncommented... > > I''m wondering.. Isn''t using (for example) VNC over an (encrypted..) > SSH tunnel safer than using PcAnywhere? Also less expensive then > buying PcAnywhere for all clients.. > > I''m thinking about implementing it this way to do some customer > support and indeed using it as a very simple vpn-alike solution. > > SSH isn''t perfect, but isn''t it more safe to do remote control over an > encrypted tunnel.. > > All remarks about this are welcome ;) > > > -- > Best regards, > Kristof mailto:kristof.hardy@catsanddogs.com > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <list.shorewall@newgenesys.com>