firewall and vnc

[Guest vance]

Any help woudl be greatly appreiciated!!

 

I have recently installed Guarddog and every thing has ben going great. I have been getting things working on a need to work basis. For the last couple days I have been trying to get my vnc working. (Using a win2000 box through mandrake to a nother box.) With Guarddog deactivated I can connect with no problem, but when Guarddog is up its a no go. I have checked all vnc possible boxes in guarddog but must be missing something.

Again any help would be appreiciated!!!!

[tyme]

do you know what port VNC uses?

 

if so, make sure that port is open. that's my only guess, as I've never used guarddog since it's KDE based.

[Guest vance]

I believe that vnc uses 5800 for initial connection then switces over to the 5900 port. These ports are open, according to gaurddog.

[MottS]

The ports used by VNC depends on how you started it. If you started the server by typing 'vncserver :0' then you MUST be able to ping the server at ServerIP:5900. In the other hand, if you started the server by typing 'vncserver :1' then you MUST be able to ping the server at ServerIP:5901. In fact VNC uses ports 590x where x is the display number. Now, if you use a browser to access your desktop then you also need to free 580x where x is the display number. Port 580x is used for password and username authentification by the Java applet and then all the info is transferred by port 590x.

 

Example: I start my server with 'vncserver :2'. To connect to my server using a browser I type 'http://ServerIP:5802'. Of course, you must be able to ping the server at port 5802 and 5902.

 

For more info -> http://www.uk.research.att.com/vnc/faq.html#q53

 

MOttS

[Guest vance]

I do appologize if i did not mke things clear. I am trying to get a visual of the remote desktop from a win 2000 machine with the Mandrake box between them. Guarddog is not allowing the connection eventhough I have all vnc possibilities checked.

With guaddog disabled there is no problem with the connection.

[MottS]

I know nothing about Guarddog. I use Shorewall and I manually edit the files in etc/shorewall. I don't trust GUI and I don't think you should. VI the Guarddog config file and see if there is a bug in it.. What wrong with Shorewall BTW ?

 

I still have problems figuring out what you are trying to do. One more try:

 

The machine on which the vncserver is running (A) is plugged to a Mandrake box (B). Now, you are trying to view the machine A desktop from a machine C that is also plugged to machine B. Is that ok? So you have 2 machines connected to a server running MDK linux.

 

MOttS

[Guest vance]

Close, pc 1 (location at home), pc 2 (mandrake box location work) pc 3 (win 2000 location work) I am trying to use pc3 to access pc1. pc 2 has the firewall.

 

Unfortunately I do not know iptables (or have time) enough to manually alter tables.

[MottS]

I know nothing about IPtable too !!! Shorewall is just an interface to iptable .. just like Guarddog. However it doesn't come with a GUI and I like it this way ;-)

 

Ok so basically, when you starts the vncserver at home, this become a server listening at connections. So if you are able to connect to your vncserver from the win2k machine when Guarddog is down, this means that Guarddog blocks your win2k machine from accessing servers on the net running on ports 590x and 580x. By clicking the VNC boxes in the GUI, you allowed people to ping your win2k machine on those ports … which is useless since you are not running a vncserver on the win2k machine. You must allow your win2k machine to access all IPs on all ports on the net.

 

So I would uncheck the vncboxes in the Guarddog GUI on the MDK machine first. Then I would double check if your LAN (the win2k machine) is allowed to access the web. Not only www (port 80) but ALL the ports. There must be a box to check somewhere… lol

 

If you would run the default firewall (Shorewall), your win2k machine could access all the server on all ports from your lan. This is the default setting. However, all the ports all blocked from the outside. In other words.. you would not have this problem.

 

MOttS