UltraVNC ruleset confusion

Discussion in 'LnS English Forum' started by m8tobe, Jul 29, 2006.

Thread Status:
Not open for further replies.
  1. m8tobe

    m8tobe Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    5
    Hi,

    I am hoping someone can tell me how to configure UltraVNC and Looknstop. I am currently trying Phantom's ruleset v6.

    I noticed that there is a RulesImportDefault.rie in the Looknstop folder. When you open that file, you will see:


    I can change the 55555 to 5900 port, and try and import this ruleset. But I also noticed an alternative method. This is where I am confused.

    In the Application Filtering Tab, if you locate UltraVNC server's executable, then click on Edit, it looks like you can allow a port or a range there. Isn't that a lot easier than importing a rule and worrying about the level it should be put? Please help and suggest which is better....

    Another question I have is that I downloaded a vncserver.rie from LooknStop website. However some entries there were different to the Rule5 found in "RulesImportDefault.rie". I thought both the rules had to be similar as they were both meant for applications like VNC, but they had different numbers in them:

    For example in Rule5 of "RulesImportDefault.rie":
    IPAdd_PC_Criteria=7
    IPAdd_PC_Bas0=213
    IPAdd_PC_Bas1=56
    IPAdd_PC_Bas2=238
    IPAdd_PC_Bas3=46


    In the vncserver.rie:
    IPAdd_PC_Criteria=0
    IPAdd_PC_Bas0=0
    IPAdd_PC_Bas1=0
    IPAdd_PC_Bas2=0
    IPAdd_PC_Bas3=0

    Hope somebody will be kind to answer my questions and which is the best way to configure. Many thanks in advance
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    when u edit the rule for teh VNC executable, u are defining which ports and ip addresses it may communicate with.

    and by importing the rule, u are tellling looknstop to actually open that port. u need to import the rule of else looknstop will just block the port needed by VNC.
     
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
  4. m8tobe

    m8tobe Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    5
    Thank you WSFuser and Climenole. I will try and test this.

    When you import the rule does it have to be in any order. I use Phantom's v6 ruleset, does it have to be the first on the list when you look in the internet filtering Tab or last.

    Oh , I just noticed that Phantom's ruleset has an entry that says 'Remote Desktop'. Perhaps I can just edit that and modify the 'Source' and 'Destination' fields. Anybody done this :)
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi m8tobe :)

    In any rules set firewall in the Universe the order of rules is important.
    When the firewall watch a packet it looks from the first rule in the list until it find a rule matching all criterias. In an other word: each rules is a logical Universal proposition (IF ALL criterias are true THEN apply the rule) linked with logical exclusive OR (XOR)... So ONE and ONLY ONE rule is applied: the first one matching all criterias for the examined packet... (A final rule to block everythings is, for this reason, mandatory for the concistency of the rules set.)

    Now we're talking about a program which can be used as "Client program" OR as a "Server program".

    A "client" is the part of an internet connection which initiate the connection such as a browser for example. A "server" is a part on which this connection is done, such as a web server. The server is say in a state of "listening" for incomming connection initiated from an other machine...

    To initiate such connection the "client" send a TCP packet with the flag SYN to the listening port of a server. So what's the relation of this with the rules?

    In any rule set there is a rule used to block incomming TCP packets with the flag SYN. A Personnal Computer is, in normal way, a client not a server except in some situation and all TCP + SYN Flags must be blocked (actually : dropped or blocked with no feedback to the sender to keep the system stealth).

    So the rules blocking the incommings TCP packets + the Flag SYN is the central rule of all rules:

    All clients programs MUST be placed after this rule. All Server programs MUST be placed before this rule (and after the illegal / abnormal packets blocking rules placed at the beginning of the list...).

    To use UltraVNC as client (you initiate the connection to the other PC) you must place the corresponding rules after the Block TCP + SYN Flag rule.

    To use UltraVNC as server (the other PC initiate the connection to a port on your PC which is in state of "Listening") you must place that rule immediately before the Block TCP + SYN Flag .

    To create a rule for UltraVNC as client program you may:

    1- include UltraVNC in the applications filter
    2- create a temporary rule just after the "central rule": TCP/UDP with no restrictions of ports/addresses
    3- include UltraVNC in this TEST rule
    4- enable the logging
    5- Used the software to have sample of the behaviour of the tested software in the log
    6- Check the log to find which ports are used and create the rule based on this information
    (the option "enable raw log" allow you to import the raw log into a spreadsheet like MS Excel or OO Calc,
    keep only the entries for the Test rule, sort the data and have a simpler way to check this information...)


    If you understand french you will have more informations in the 6 articles about LNS in my blog. (Link with my signature).

    :)

    P.S. the rule for "Remote Desktop" in Phat0m rules is for a remote assistance with Messenger... ("server" side).
     
    Last edited: Jul 31, 2006
  6. m8tobe

    m8tobe Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    5
    Thats a brilliant piece of explanation Climenole! Many thanks for taking the time in writing. I followed your advice and have now configured the ruleset and tested to be working fine!:)
     
  7. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    HI m8tobe :)

    So everythings works well ! Great !

    You do it as a PRO m8tobe. :thumb:

    :)
     
Thread Status:
Not open for further replies.