News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: RDP connection blocked by Firewall unless all ports opened?!
Pages: [1]
Topic: RDP connection blocked by Firewall unless all ports opened?!  (Read 2748 times)
« on: March 28, 2012, 22:22:48 »
Acorp *
Posts: 3
Monowall: 1.8.0b499 built on Tue Feb 21 17:55:04 CET 2012 (Generic PC)
Problem: RDP not working
Situation: At a local hotspot, want to RDP into computer on LAN at home
Firewall Rules in Place: WAN TCP Any IP Port 3389 -> 192.168.1.88:3389
NAT: WAN TCP 3389 -> 192.168.1.88:3389
Result: Blocked by Monowall firewall so Failure/Unable to connect to RDP

Extensive testing shows the remote RDP request (from the hotspot) coming in on random upper ports (60386, 60389, 63157, 63159, etc.) instead of on 3389. I have never seen that prior to installing Monowall. Always in the past (with other routers) incoming RDP connections have come in on port 3389, so you just forward WAN:3389 -> LAN:3389. I don't understand how this would have changed with Monowall though, since these are incoming connections. Monowall doesn't manipulate the port of an incoming request, does it...can it?!

Examples from the Monowall log:
Source                  Destination         Proto
---------                  --------------         -------
WAN   66.17.107.251, port 63086   192.168.1.88, port 3389   TCP
WAN   66.17.107.251, port 63089   192.168.1.88, port 3389   TCP

If I change my Firewall rule to allow ANY SOURCE PORT (since I don't know which port the incoming request will come in on), then I can RDP in just fine. The problem is I subscribe to the "less exposure is better" train of thought, so I'd rather not expose EVERYTHING on my RDP computer to the internet.

I admit I am new to Monowall...am I missing something simple here, is this a function of the Beta software version I am running, was there a change in the Microsoft RDP software, or is it something else entirely?

Any thoughts?

TIA,

- Acorp
« Reply #1 on: March 29, 2012, 00:34:11 »
Fred Grayson *****
Posts: 994
From what you have written, you seem to be confusing a port forwarding NAT specification with its required and related firewall rule.

Inbound NAT will not work without a correctly formulated corresponding rule.

Specifying a source port other than "any" in a firewall rule is almost always a mistake. As you have noticed, they are almost always randomly selected making them impossible to predict.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: March 29, 2012, 10:00:55 »
Acorp *
Posts: 3
Thanks for the quick response. I probably am confusing the two!  Roll Eyes

So, just to clarify, if I don't specify a source port on the firewall rule, I'm not exposing that LAN computer to nefarious script kiddies on the internet? As long as my corresponding NAT rule only forwards that one port?

- Acorp
« Reply #3 on: March 29, 2012, 15:53:37 »
Fred Grayson *****
Posts: 994
Yes, you now understand it.

Enjoy your m0nowall.
--
Google is your friend and Bob's your uncle.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines