SV: VNC and Firewall - which ports to open?
Angelo Sarto
angelosarto "at" gmail.com
Mon Oct 18 17:05:01 2004
Possibly, you have the port "open" and not redirected.
You need a port forward of 5900 to your local machine if your firewall
is doing PAT/NAT.
(i.e. you have only one public IP shared for many computers)
Simply Opening 5900 will prolly route the packet into the bit bucket.
??
--Angelo
On Mon, 18 Oct 2004 14:43:39 +0200, Jerome R. Westrick
<jerry "at" westrick.com> wrote:
> On Mon, 2004-10-18 at 14:24, Marcus Lager wrote:
> > "Theese ports assume you are using display ":1" (accessed via command:
> > "vncviewer machine:1"). Is that the case? "
> >
> > - No, I don4t believe I am. I4m running VNC as a service on the server and
> > clients connect by using the VNC viewer and stating the mapped IP address
> > and the password I set up using VNC 3.3 authentication.
> >
> > So I guess i only need to worry about TCP port 5900 then?
>
> Okay, that is correct if you only use IP-address then you are using the
> default ( :0 ) ie. 5900.
>
>
> > Well, when
> > allowing only this port in my firewall I cannot connect. When I allow trafic
> > on all ports I connect without problems.
>
> It seams to be your firewall settings then...
> They don't seam to work, you got a log in which you can see if the
> firewall is blocking port 5900?
>
> Jerry
>
>
> >
>
> > /Marcus
> >
> > -----Ursprungligt meddelande-----
> > Fren: vnc-list-admin "at" realvnc.com [mailto:vnc-list-admin "at" realvnc.com]Fvr
> > Jerome R. Westrick
> > Skickat: den 18 oktober 2004 10:51
> > Till: vnc-list "at" realvnc.com
> > Dmne: Re: VNC and Firewall - which ports to open?
> >
> >
> > On Mon, 2004-10-18 at 10:18, Marcus Lager wrote:
> > > I have a Netscreen NS5XT firewall. If I allow all ports to my server,
> > which
> > > is behind the firewall, the VNC connection works. If I allow only TCP
> > ports
> > > 5801, 5901 and 5501 the connections fails. According to the documentation
> > > these ports are the only ones I should open.
> > >
> >
> > Theese ports assume you are using display ":1" (accessed via command:
> > "vncviewer machine:1"). Is that the case?
> >
> > If you use the command "vncviewer machine" (without the :1) the you
> > would need to redirect the ports 5800, 5900, and 5500 (without the
> > +1)...
> >
> > Jerry
> > P.S. The ports 5800 (+displayno), are used for downloading the java
> > applet into your browser, if you don't use browser access you don't need
> > to redirect this port...
> >
> > P.P.S. The ports 5500 (+displayno), are used for "reverse" connections,
> > that is when the vncserver does "Add client", and connects to a
> > vncviewer in "Listen mode". Therefore this one used diferentely as the
> > vncserver connections and therefore is usually configured diferent to
> > the vncserver. Adding this port to your "General vncserver port config
> > list" will really create confusion...
> >
> >
> > > VNC runs as a service and I4ve mapped an ip address to the server, which I
> > > guess is called "putting the server in the DMZ" in networking language.
> > And
> > > while all ports are open it works fine. But that4s not very safe, is it?
> > >
> > > Marcus
> > > _______________________________________________
> > > VNC-List mailing list
> > > VNC-List "at" realvnc.com
> > > To remove yourself from the list visit:
> > > http://www.realvnc.com/mailman/listinfo/vnc-list
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List "at" realvnc.com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List "at" realvnc.com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list