IPO Firewall allow RDP (TCP 3389) to inside machine... 1

[kristiandg]

Good afternoon all...

The one thing that has always confused me is the IPO's firewall. My brain doesn't work in HEX. I'm trying to set it up so when someone hits the IPO's public IP with Windows Remote Desktop, which uses TCP Port 3389, it forwards to the internal computer at 192.168.0.200. I have never been able to get this working and could use some assistance. I've determined the HEX for "3389" is "0D3D" but the mask, match offset, and match length confuse me.

Can someone show me how to set this up, which will hopefully explain how this works....

Thanks...

Kris G.

 

[MrIPO]

Just to confirm you are using the IPO as a router with a public IP on one of the interfaces Lan 1 or Lan 2, much like with any other non IPO router you want to be able to perform port forwarding to different internal IP Address eg: port 25 to Mail Server, 80 to Web Server. The IPO does not support Port NAT re-direction. Basically you need to configure Primary Trans. IP Address which means that any un-initiated session will be forwarded to this device, you can only specify 1.
--
Primary Trans. IP Address: Default = 0.0.0.0 (Disabled)
This setting is only available on Small Office Edition, IP412 and IP500 systems. Any incoming IP packets without a service or session are translated to this address if set.

http://www.iporesource.com

 

[kristiandg]

Yes, that is the setup and thats what I'm looking to do. Don't I still need to put a hole in the firewall to allow those packets?

 

[kristiandg]

Yeah, I did that and now we can't call the site because those packets are being redirected as well. Same with the config, I can't pull it.

Kris

 

[MrIPO]

What Box are you using ? Are you using LAN2 ? if so simply do not select a Firewll profile and test, if you are using LAN 1 you do not have the option of a firewll so it should be fully open.

Give me more details of your setup please.

http://www.iporesource.com

 

[tlpeter]

I ried to set the ipo as a router and i could not get it to work
Can you give me more info about how you did it ?
Then i can try ,i hate it when i can't get things done


ACA - Implement IP Office
ACA - Voice Services Management
______________
Women and cats can do as they please and men and dogs should relax and get used to the idea!

 

[kristiandg]

No no, its an SOE and has dual lan. I'm applying this to LAN 2 with no firewall profile (just NAT)....

Kris G.

 

[intrigrant]

Kristiandg, you need to sniffer the network and decode the packets used by remote desktop.
With the info below you must be able to create a firewall profile for it.
Good luck!( You will need it

IP Protocol : The value entered here corresponds to the IP Protocol which is to be processed by this Firewall profile :- 1 for ICMP, 6 for TCP, 17 for UDP or 47 for GRE.

Match Offset : The offset into the packet (0 = first byte of IP packet) where checking commences for either a specific port number, a range of port numbers, or data.

Match Length : The number of bytes to check in the packet, from the Match Offset point, that are checked against the Match Data and Match Mask settings.

Notes : This field is to remind you what this entry is for. You must enter something in this field or the system will not allow you to save this filter.

Match Data : The values the data must equal once masked with the Match Mask.

Match Mask : This is the byte pattern which will be logically ANDed with the data in the packet from the offset point. The result of this process is then compared against the contents of the "Match Data" field.

Direction - Drop/In/Out/Bothway : The direction that data may take if matching this filter, see individual explanations below.
o Drop - no packets matching this may pass.
o In - allow new sessions into the private network.
o Out - allow sessions out to the Internet.
o Bothway - do both "In" and "Out".
In the example below the Match Mask is FFFF, this provides a single unique match.

IP Protocol = 17,
Match Offset = 20,
Match Length = 2,
Direction = Drop,
Match Data = 0088,
Match Mask = FFFF,
Notes = Drop NetBIOS.

Data -> 0087 -> 0000,0000,1000,0111
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,0111 -> 0087
Match Data = 0088 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0088 -> 0000,0000,1000,1000
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,1000 -> 0088
Match Data = 0088 -> Match data and ANDed Result are the same, therefore we drop packet.

Data -> 0089 -> 0000,0000,1000,1001
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,1001 -> 0089
Match Data = 0088 -> Match data and ANDed Result are different, therefore we pass packet.

Therefore from the above any UDP packet with bytes 21 & 22 of the packet set to "0088" ONLY will be dropped, all other packets will be passed.

To extend this to cover a range of matches you can set the mask to be no specific, for example "FFFC". Here is an example similar to that above except that the Match Mask is "FFFC" and Match Data is "0084".

IP Protocol = 17,
Match Offset = 20,
Match Length = 2,
Direction = Drop,
Match Data = 0084,
Match Mask = FFFC,
Notes = Drop range of ports.

Data -> 0080 -> 0000,0000,1000,0000
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0011 -> 0083
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0081 -> 0000,0000,1000,0001
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0010 -> 0082
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0082 -> 0000,0000,1000,0010
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0001 -> 0081
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0083 -> 0000,0000,1000,0011
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0000 -> 0080
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0084 -> 0000,0000,1000,0100
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.

Data -> 0085 -> 0000,0000,1000,0101
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.

Data -> 0086 -> 0000,0000,1000,0110
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.

Data -> 0087 -> 0000,0000,1000,0111
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.

Data -> 0088 -> 0000,0000,1000,1000
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1011 -> 008B
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 0089 -> 0000,0000,1000,1001
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1010 -> 008A
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008A -> 0000,0000,1000,1010
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1001 -> 0089
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008B -> 0000,0000,1000,1011
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1000 -> 0088
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008C -> 0000,0000,1000,1100
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008D -> 0000,0000,1000,1101
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008E -> 0000,0000,1000,1110
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

Data -> 008F -> 0000,0000,1000,1111
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.

From the above calculations you can see that this new filter results in packets with bytes 21 & 22 set to 0084, 0085, 0086 & 0087 being dropped.

NOTE :- Please also note that if the Match Data had been set to 008C this would result in packets with bytes 21 & 22 set to 008C, 008D, 008E & 008F being dropped!


NIHIL NOVI SUB SOLE

 

[intrigrant]

This gives the following firewall settings in IPO:

Protocol = 17 (TCP)
Match offset = 34
Match length = 2
Direction = Allow
Match data = 0d3d ( = 3389 decimal )
Mask = FFFF ( only this port )
Notes = Allow RDP

That should do the job.

NIHIL NOVI SUB SOLE

 

[IPOfficeIreland]

thanks for the heads up intrigrant. basically don't use the ipoffice as a router!

 

[intrigrant]

Why not?

NIHIL NOVI SUB SOLE

 

[kristiandg]

LOL, thx guys. intrigrant, that should be a FAQ......

Bam!!!!!!! (star)..

Thx..

Kris

 

[kristiandg]

Looks like a more permanent fix for this may be coming...

kris g.