Using Network Control Rules only ...

RandomSF · September 15, 2006, 1:05pm

… how do I allow only port 5900 (VNC) traffic?

Rule #5 is Allow Port 5900 to Port 5900 Any IP to Any IP
Rule #10 Block All From Any to Any

From the Help System:

Comodo Firewall applies rules on a per packet basis and applies the first rule that matches that packet type to be filtered. If there are a number of rules in the list relating to a packet type, the one nearer the top of the list will be applied.

If I read that correctly, you are running a first-match-wins schema. This leads me to believe that VNC (port 5900) should work. Apparently, I am wrong.

Here is the log from an attempted connection.

Log Scope: Today
 	 	

Date/Time :2006-09-15 07:37:06
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.0.0.76, Port = 5900)
Protocol: TCP Incoming
Source: 10.0.0.52:3272 
Destination: 10.0.0.76:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 10
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

Date/Time :2006-09-15 07:37:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.0.0.76, Port = 5900)
Protocol: TCP Incoming
Source: 10.0.0.52:3272 
Destination: 10.0.0.76:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 10
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

Date/Time :2006-09-15 07:36:56
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.0.0.76, Port = 5900)
Protocol: TCP Incoming
Source: 10.0.0.52:3272 
Destination: 10.0.0.76:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 10
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

End of The Report

I have structured the VNC server to use only port 5900. What must I set up in the Network rules to allow VNC to work?

Graham1 · September 15, 2006, 4:00pm

I would imagine your rule would look like this (see screenshot below):-

I get confused whether the source or destination port applies to your own computer so if it doesn’t work this way, just add as destination instead.

[attachment deleted by admin]

RandomSF · September 15, 2006, 7:25pm

In typical packet filtering firewalls, for tight security both the source and destination ports would be listed. I can do as you suggest, but this doesn’t really accomplish my objective. Also, using a normal packet filtering firewall, such as OpenBSD’s pf, using a rule such as my rule 5 above would work. Is there any reason you can see that this rule would not work?

Graham1 · September 15, 2006, 7:38pm

You should only need to define the service (i.e port 5900 on your computer) as the connecting computer’s port would be dynamically allocated (i.e 1024 and above). Setting port 5900 for both the source and destination would never be actioned.