Actually you don't need UDP 3389 for Terminal Service/Remote Desktop. TCP 3389 is enough... (Safer not to open any unused UDP ports... Look at at what SQL Slammer did [;)] )
[size="1"][ 03 February 2003, 10:21: Message edited by: Sterion ][/size]
Also note that the login password is sent in the clear even if the TS session is encrypted. Better to use a VPN even if PPTP. Otherwise, Term Services should work fine over NAT/Masq.
Users don't like an extra step but you takes your chances with MS apps. This is going to be another bad year for MS worms and the like. Maybe a good year for Astaro?
If you take a look at Filter livelog/Current filter rules you will notice that the filter is in the chain USR_FORWARD...
If then you doesn't have a DNAT for port 3389 then the firewall will use the chain USR_INPUT (where there isn't a rule it can match) and then you get the packet dropped...
So make a DNAT on your external interface port 3389 to the internal server you wish to run terminal services and you'll be fine [:)]
Well I have tried many things and cannot get remote desktop to work so is there anyone that can walk me through this step by step? I am having a hard time with firewalling and maybe when I understand it a little better by setting up a few things by example I can get a better understanding.
Firewall Internet Side Adapter IP address = a.b.c.d (do not need to define this is you are using a dynamic IP address) Internal windows XP IP address = e.f.g.h (make sure you are using a private address such as 10.0.x.x or 192.168.0.x) Define both in Networks.
TERM_SERV_IN = 3389 (TCP) Define in Services.
In Network/NAT Masquerading define this; Rule Typd: DNAT/SNAT Source Address: ANY Destiniation Address: a.b.c.d (your internet side IP address or external interface if you do not have an dynamic address) Service = TERM_SERV_IN Source to = NO CHANGE Address Destination to = e.f.g.h Service Destination to = NO CHANGE
Packet Filter / Rules;
From Client: Any To (server): e.f.g.h Service: TERM_SERV_IN Action: ALLOW
Define the machine running remote admin in Definitions in ASL ie RA-Box 192.168.1.55 Define terminal services service in Services. ie TermServ UDP 3389
Set up a DNAT rule under Networking. Src: Any Destination: FirewallRedInterfaces Service: TermServ Destination=RA-Box
Set a packet filter rule to allow 3389 to the RA-Box and out.
Isn't it possible to use remote resktop via SSH (tunneling?) I did not test this my self but it should be possible to map a local port to the terminal service port on the server and use ssh to tunnel trough the firewall. Looks to me that this is much safer but maybe too slow????
Isn't it possible to use remote resktop via SSH (tunneling?) I did not test this my self but it should be possible to map a local port to the terminal service port on the server and use ssh to tunnel trough the firewall. Looks to me that this is much safer but maybe too slow????
