Security and NAT (Open Ports)

Support section for FREESCO v0.4.x

Security and NAT (Open Ports)

Postby ronsodos » Wed Dec 23, 2009 2:19 pm

When I do a port scan I see 5900 (VNC) is closed but the port that I have it translated to is wide open. How do i close the port that it is translated to and still have the ability to VNC into my network.

Or better How can i set up VPN to work. I built VPN on my main XP machine and I can ping the IP address. The router has nothing blocked so somewthing in the Freesco firewall is blocking it. How can I open so VPN will get through the Firewall?

I have been reading the posts and see that it is possible to block everything except a particular ip address. This could work for me provided it still allows me to vnc into my network and block anyione else from hacking in. Will the open ports remain open or will they appear closed when i block everything except my own ip address?

Thanx in advance
Ron Sodos
Albuquerque NM
system report.txt
You do not have the required permissions to view the files attached to this post.
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby Lightning » Fri Dec 25, 2009 3:55 am

To do what you are asking I recommend installing the "knock" package onto the router. By default the knock package is configured so that you can run an FTP or SSH server in secure mode and then the package opens the port to a single IP address with the correct port knock sequence. However the exact firewall and ports the knock sequence will open is completely configurable.
So you will need to reconfigure it for the ports that you want to open with something like

knock.conf
Code: Select all
[OpenVPN]
command  =  /bin/ipfwadm  -I -i accept -P tcp -S %IP% -D 0/0 7989:7907

[CloseVPN]
command = /bin/ipfwadm  -I -d accept -P tcp -S %IP% -D 0/0 7989:7907


Then in the firewall section of the /rc/rc_user script add a firewall rule to block all of those ports by default with
Code: Select all
$fire)
   ipfwadm -I -a $Pd -W $INET -D 0/0 7989:7907 $LOG
   ;;

Once this is completed you will be able to connect to your VPN from anywhere and the ports will be blocked to everyone else that doesn't know the port knock sequence.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security and NAT (Open Ports)

Postby ronsodos » Fri Dec 25, 2009 11:31 pm

Lightning, I truly appreciate your help but you are going to have to forgive me. I am a real newbie. I was able to download the knock file from one of the sites and ftp it into the router. I was able to install it as well. However i am not familiar with how to edit the configuration files you told me about in your last post. I also am not sure what ports to use and what the syntax means. Do I use the IP of the eth0 in the router or the Windows PC inside my network with the VPN server. Help !!!


Ron Sodos
Albuquerque NM
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby Lightning » Sat Dec 26, 2009 3:42 pm

Do I use the IP of the eth0 in the router or the Windows PC inside my network with the VPN server. Help !!!
I am not completely sure what the question is. I gave the exact syntax for the router configuration according to the ports you have forwarded in your report.txt and there is no references to any IP addresses needed. So please clarify what configuration you are asking about ?

However after thinking about this a bit more and reviewing your initial post. I am wondering about what VPN server you are asking about. Because I thought we were talking about VNC and VPN is a completely different subject that you are probably not going to make work in this type of a situation with FREESCO and port forwarding.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security and NAT (Open Ports)

Postby ronsodos » Sat Dec 26, 2009 7:01 pm

I assumed that the syntax [Open VPN] implied that we were allowing the router to allow me to the VPN server on my Windows Machine. Okay forget that.

I am trying to figure this out. In my port forwarding I am going to only look at one entry.

tcp,7900,5900,192.168.1.2

This allows me to VNC into one PC with that IP address. Port 5900 is the standard port for VNC. I forward it to 7900 and when I enter VNC viewer i type 216.184.28.242:7900 This takes me directly to that PC. The problem is 5900 is closed and 7900 is wide open.

So am I correct in thinking in your syntax I would type

[OpenVPN]
command = /bin/ipfwadm -I -i accept -P tcp -S %IP% -D 0/0 7900:5900
and the same in the close VPN entry

and this command in the knock.conf to open and close VPN will open the port in sync with my ip forwarding.

and the entry in the rc__user script closes the ports to everyone else.

Am I correct?

Ron Sodos
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby dingetje » Sun Dec 27, 2009 12:11 pm

In addition to the knock server solution, you can also use the SSH tunnel solution as described in this wiki article:

http://dingetje.homeip.net/dokuwiki/fre ... vnc_server

With that solution you don't need a port forward (so simple delete the port forward rule again) and the SSH tunnel takes care of the VNC protocol forward.
The benefit of this solution is that it's secure and compressed and the tunnel is only there when needed.
GreetZ
http://dingetje.hopto.org

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO GURU !!
 
Posts: 1010
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Re: Security and NAT (Open Ports)

Postby ronsodos » Sun Dec 27, 2009 2:29 pm

Lightning,

I entered the commands as you stated. I found a knockd.conf file in \etc and entered the commands exactly. You said knock.conf???

Also I entered the command exactly in the \rc\rc_user script. now when i boot I get an error that says

ipfwadm: no ports allowed without specific ic protocol.

What am I doing wrong and where do i put thiese commands correctly.

Ron Sodos
Albuquerque Nm
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby ronsodos » Mon Dec 28, 2009 12:09 am

I must thank you guys for your expertise and knowlege. Also you guys are always willing help a newbie like me. struggled with the Knock configuration and kept getting syntax errors. I must havebeen putting the files in the wrong place or somehow entering them wrong.

Anyway I tried the SSH server and Putty method and it worked right away. I disabled all port forwarding and I can now VNC from my work PC to my home network. I am a happy camper.

Thanks again

Ron Sodos
Albuquerque NM
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby ronsodos » Mon Dec 28, 2009 12:44 am

One more question. After checking i now have port 22 wide open. Is there a way to make this work and have port 22 closed to the world. I did turn off pings so that is working well. But when I had Shields Up probe port 22 it was wide open. I tried to set it secure and the SSH server would not respond?

Ron Sodos
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby Lightning » Mon Dec 28, 2009 2:12 am

ipfwadm -I -a $Pd -W $INET -D 0/0 7989:7907 $LOG

Sorry about the command line, I did it from memory and forgot when you use a specific port you must add the protocol.
ipfwadm -I -a $Pd -P tcp -W $INET -D 0/0 7900 $LOG

The above rule would go into the rc_user file. It needed the "-P tcp" added for the port protocol in all ipfwadm rules for this type of setting. I also changed it to just port 7900 as you state that is all you need.
As for your understanding of the port numbers at the end. The single port as you stated which is all you are using is fine. What I post was a port range before which includes all ports within the two numbers for that specific firewall rule.
As for your port forwarding rule you do not need to include the 5900 port at all in any firewall rule because that is strictly an internal port within your local LAN and not shown to the Internet side of the router. So it will always show as closed without anything else needed.

However as you now want to use SSH which will work great. But it or ANY port MUST be open otherwise you can not connect to it as you found out. But if you want SSH in secure mode you once again can configure knock to do that which is the ONLY way to make it dynamically secure to only one IP address no matter where you are. Just reconfigure knock to use port 22 instead of 7900 then set the server in "s" mode so it is secure and you will be able to knock the port open to your IP address. Of course if you use different port sequences you can configure knock you open different ports with different knock sequences. That way you can keep everything in secure mode and still get access when needed. You also could change the rule to have a port range of 22:7907 which would open all ports from 22 to 7907 to a single IP address with the correct knock sequence which would allow you to gain access to everything with one knock sequence.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security and NAT (Open Ports)

Postby ronsodos » Mon Dec 28, 2009 6:41 pm

Lightning, As i said I had Putty and SSH working perfectly with port 22 wide open. I then added the commands to rc_user and knockd.conf just exactly as you wrote. Of course with the (-P tcp) correction in the rc_user file that you emailed me this morning. Now I cannot get to my ssh server at all. Putty just hangs and then says (Network error- Connection reset by Peer)

I tried a test module thinking that the 5905 port i am using for 5900 (In order to say localhost:5) was the problem. So in my test module I have IP X.X.X.X:22. I thought that might work but doesn't. I went home for lunch and remarked out the commands in rc_user and knockd.conf and it works again just fine. Not sure what to do now.

Would it help to unremark the commands boot the router and create a new report.txt ?


Ron Sodos
Albuquerque NM
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby Lightning » Mon Dec 28, 2009 9:44 pm

There are a few things that I need. The first is that you double check to make sure that your port knock sequence is actually working. Be sure that you are ONLY using the default packets and you are not mixing tcp and udp packets as I have had some issues when mixing packet types. You can see the knock results in the logs on a successful knock or directly on screen 3 or 5 I don't remember which. This can be tested directly from inside your LAN.

If that works then what I need is a new report.txt with everything enabled and a copy of your /etc/knockd.conf so I can give you the necessary corrections. Because at this point I am not completely sure exactly what you are using as a configuration and the necessary ports. I also need to know if you are going to continue using an SSH tunnel without port forwarding and closing the SSH port with knock or if you are just going to close the VNC port with the knock package on it's own.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security and NAT (Open Ports)

Postby ronsodos » Tue Dec 29, 2009 1:00 am

Okay I figured out the log files. the knockd.log file only says "listening on eth0". Each time I reboot the server the log file shows a new date and time and repeats that it is listening. No matter what I try SSH, FTP, PUTTY from my Windows PC and the log file shows no additional entry. it seems that the code you gave me as well as the code built in to the knockd.conf file should at least add something to the log file. My boot sequence says knockd is running on eth0 and the log file says that but I don't think anything is working at all. I am sending you my rc_user file, my knockd.conf file and my report.txt file.'

hope I can get this figured out. I am almost ready to just leave port 22 open and forget it.


Ron Sodos
knockd.txt
rc_user.txt
report.txt
You do not have the required permissions to view the files attached to this post.
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Re: Security and NAT (Open Ports)

Postby Lightning » Thu Dec 31, 2009 1:12 am

firewall) ipfwadm -I -a $Pd -P tcp -W $INET -D 0/0 22 $LOG

Remove this line from the rc_user file because the SSH server is already running in "s" secure mode. So this extra firewall rule is just redundant.

But looking at the files I see a LOT of various mistakes and differences. However to correct these I need to know exactly how you want the system to work. You basically have two options.

1: block SSH port and open it for an SSH tunnel.

2: block the VNC ports and open them for direct access.

At present you have it sort of configured for both but only half way configured for each one and that is why nothing is working. You also are missing some key configuration components in the knock.conf file and as stated before even though it says you can mix tcp and udp packet types it really doesn't work. So just leave those flags out and strictly use port numbers as you have in some of the configuration.
When knock is working you will see in the logs "stage 1" "satge 2" "sage 3"..... and so on for each successfule port completed by the knock client.

So if you will answer the above question we can get it working without to much more trouble.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security and NAT (Open Ports)

Postby ronsodos » Thu Dec 31, 2009 10:19 am

Well in order to answer your questions, the whole reason i got involved with this is because I wanted to eliminate port forwarding because all the ports I was forwarding 5900 to were wide open. Now in order to make this work I have to have 22 open. I use putty to open a ssh to my router and in the Putty configuration in forwards to my internal PC (192.168.1.2) at localhost:5. After Putty opens my shell and shrink it and VNC to localhiost:5.

I thought we would be able to open port 22 with the port knocker and then VNC would open the same way it is now through the forwarding in Putty. Am I correct thinking once inside the ssh connection to the firewall i am no longer coming in through 5900 through the outside. Because i am already inside i am only using 5900 inside of the network. So i am hoping by using port knocker to open 22 it would function exactly as i do now.

However, I really don't need direct access to my shell my need is to be able to VNC into 192.168.1.2. Anyway I guess if I can VNC into that workstation inside my network i could access my shell once i am inside my network. I really have no need to access the shell but I do need to VNC in. So i guess the answer to the question is i need to block and open 5900.

As long as i can VNC to 192.168.1.2 inside my network I would be very happy. I will go with whatever is easier and whatever you recommend.
Thanx
Ron Sodos
User avatar
ronsodos
Junior Member
 
Posts: 33
Joined: Wed Feb 18, 2009 11:04 am

Next

Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 5 guests

cron