VNC Server & CFW Settings

I am working with this firewall for the first time so please forgive my newbieness :slight_smile: Anyway, I have Real VNC server along with NO-IP DUC (to give me dns for the changing ip address of the cable connection) operating on this computer and I added the application to the list of programs that could be used, but I was not able to get my remote computer to log in until I did one thing… I changed a setting that I am not sure was the safest one to change. It was the network monitor setting

Block IP any to IP any where IPPROTO is any

and I changed it to

Allow IP any to IP any where IPPROTO is any

When I did this, the firewall allowed me in. Did I do the wrong thing? It still says I am protected but I was afraid I made a mistake, and it will allow too much access. Did I do the wrong thing? The VNCServer loads to a particular port but I am not sure what happened when I changed that setting.

Can anyone enlighten me and show me to correct way to go : -)


Within network monitor, create an inbound rule allowing access to ports 5800 (web browser) and/or 5900 (vnc client). This should allow you through network monitor. You will also need to create an application rule (within application monitor) allowing access. You can either do this manually (like you did with network monitor) or run vnc client and recieve a connection prompt which you can allow.


I did that and was not able to get logged in. Any more suggestions? I just dont want it to be left wide open for anyone to get access through the net. I had one hacker already playing around with my mouse last week before I installed this and I want to make sure my computer is secure. Thanks for any suggestion. By the way I set the port range from 5800-5999 just to be sure and it did not work when I set the original setting to block for the ipproto setting I mentioned before.

You should only need to specify ports 5800 and/or 5900 (unless you changed the default ports). Are you testing the connection from a remote location? If so, that may be your problem. It would be easier (if possible) to test the connection next to your computer (i.e. with a laptop, network cable, etc).


Well this is what I did. I physically got on that computer tweaking the settings and I called my wife at a remote computer miles away to test to see if she could get the VNC Client to login. It failed. Only when I set it to…

“Allow IP any to IP any where IPPROTO is ANY”

…would it allow her to login. Can anyone explain what this setting does and if it opens me up to too much?

This would be like lowering your first defense (allowing all traffic). Your next defense would be application monitor. When you allowed all traffic through network monitor, were you then prompted for an application rule? Do your logs show anything regarding the vnc client being blocked? RealVNC listens on ports 5800 and 5900 so I’m not sure why network monitor is passing through to application monitor. Hopefully someone else can offer some advice.


I have the same issue - seems to be a common one. What happens if I delete that rule? It seems to be the only way CFW allows RealVNC to connect - otherwise Network Monitor blocks nbdgram=138 and connection times out.

So if I delete that rule (#7) - what is my exposure?

[attachment deleted by admin]

issue seems to got resolved over the LAN; over the WAN still have difficulty connecting.

I added two ALLOW rules - both for Custom IP - one for prot138 and the other for prot137. Can connect over the LAN; however going over the WAN connection times out.

Since my set up is little different, my rule 7 isn’t the same as yours. So I’m a little confused about which rule you’re describing. I’ll ask that you post a screenshot of your rules.

What’s showing up in your logs (Activity → Logs), as that can give insight into what’s being blocked and why.