Firewall setup mistake may help others

Joel Lieberman joel.lieberman "at" verizon.net
Fri Mar 26 14:47:01 2004


Greetings -

I recently made a rather silly mistake
while setting up firewall/NAT rules for
a VNC Server,
and after reflection, I thought that
documenting it might be of some help to
others.

I created a rule to NAT tcp requests to
port 5900 for a VNC Server host.
Then I mistakenly set (and limited) the
incoming port (range) to 5900 also.

Point to remember:

While you should specify the exact
port(s) that will be forwarded "to",
you need to leave the "incoming" port
range open - unless you have
a specific reason to limit incoming
requests to only those from a known
port.

The incoming port range is different
than setting rules to limit incoming
network addresses.

I hope my mistake may help others who
are setting up their firewall/NAT
routings.

Special thanks to Scott Best who prodded
my thinking in the right direction!

Cheers -

Joel Lieberman, Ph.D.