Solved RDP connection

[kikicekela]

Hello

I am trying to set up a network environment with the following purpose:
- Users in the private network can access to internet.
- Users can remote control a specific PC in the private network from internet through MS Remote Desktop.
- No pb to access to internet from the LAN but the RDP port is closed

Could you say to me what's wrong?

Thanks in advance,

Bruno

pf.conf:

## internal and external interfaces
int_if = "bge0"
ext_if = "xl0"

# Ports we want to allow access to from the outside world on our local system (ext_if)
tcp_services = "{ 3389, 80, 443 }"

# ping requests
icmp_types = "echoreq"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"

### options
set block-policy drop
set loginterface $ext_if
set skip on lo0

### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)

# redirect FTP traffic to FTP proxy on localhost:8021
# requires ftp-proxy to be enabled in /etc/inetd.conf
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 3389 -> 192.168.1.233 port 3389

### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow in FTP control port
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass quick on $ext_if proto tcp from any to 192.168.1.233 port 3389 keep state

 

[tetragir]

Hi,

First of all, I'd like to ask you to use tags for code to make it more easier to read.
Second, could you please explain a little bit further, what is the exact problem? The users from the internet, are unable to connect to the RDP Server? What is exactly the problem?
And one note, the 127.0.0.0/8 network is public, I guess what you mean is the 172.16.0.0/12 network.

 

[kikicekela]

Thanks for replying to me so quickly, I will use tags on tomorrow cause I have no access to my fwfirewall(?) this evening.

The pbproblem is simple: the 3389 port is closed from internet (http://ping.eu/port-chk/ my public IP is 109.7.63.89), so it is impossible to connect to the RDP server (192.168.1.233) from Internet.

My private LAN is 192.168.1.0/24

I am a little bit newbie in PF, I copied my pf.conf from an internet website

 

[tetragir]

Hi, sorry, for the late answer.
So in order to reach a host on a local private network from the internet, you have to forward the port from outside to an inside IP Address. This means, you have to configure port forwarding on the device which accomplishes NAT. If it's a modem, on that, if it's the FreeBSD, then you have to configure that. I've seen, there is a line which refers to NAT on FreeBSD, however I think that accomplish NAT needs more configuration. Please refer to the Handbook on how can one achieve NAT with pf.
You need to configure this on both TCP and UDP, and of course, you have to open those ports on the firewalls between the internet and the host.
To connect to your inside RDP host, you have to initiate the connection to your public IP Address, then the modem/firewall will forward the request to your inside host.

 

[SirDice]

I strongly recommend not opening RDP to the internet. The bad guys will find it quite quickly and hammer it into submission.

 

[kikicekela]

Hello,

Thanks a lot for your pieces of advice.

Here is my working pf.conf (see below).

SirDice, what I plan to do is to active the rdr rule only when I have to connect to my RDP server. So just have to un-comment the rdr rule and to execute /etc/rc.d/pf reload
I changed also the RDP port.

What do you think about my conf file?

thanks in advance,

Bruno

= PF.CONF ==================================

ext="xl0"
int="bge0"

# LAN hosts
pcadm = "192.168.1.233"

# rdp port to use from Internet
rdp_pcadm = "4450"

set skip on lo
scrub in all

# NAT rule for int
nat on $ext from $int:network to any -> $ext

# rdr rule
#rdr pass on $ext proto tcp to port rdp -> $pcadm port rdp

# antispoofing on ext
antispoof for $ext

# no filtering on int
pass quick on $int

# filtering rules
# block everything from out
block in on $ext

# accept icmp from outside
pass in on $ext inet proto icmp from any to any icmp-type { echorep, echoreq, timex, unreach }

# accept ssh from outside
pass in on $ext inet proto tcp from any to any port ssh flags S/SA keep state

# accept out traffic (NATe LAN will use these rules)
pass out on $ext inet proto tcp all flags S/SA keep state
pass out on $ext inet proto { udp, icmp } all keep state

 

[SirDice]

If it's just for you, why not use SSH tunneling to tunnel RDP? That's a lot safer option and doesn't require modifying the firewall.

 

[kikicekela]

Because I don't know how to proceed lol.
Just have to open the SSH port on the firewall? Is there anything to configure on the client (OS X) & server (2k3 srv)?
Best regards,
Bruno

 

[kikicekela]

With this doc for instance?

http://www.kettering.edu/offices-ad...tworks-security-storage/remote-desktop/remote

 

[SirDice]

Yes, that's the idea. The only thing you'd need is an account on the FreeBSD firewall but I assume you already have that.

 

[kikicekela]

Yes indeed.
Just have to test the solution this evening.

 

[kikicekela]

Hi,

The solution works fine.

On my OS X, I just have to type this cmdecommand in a terminal:

ssh -L 33389:[local_machine_IP]:3389 -l root [firewall_public_IP]

Ad connect to the host: localhost:33389 with an RDP client.

So I can finally close the rdp port.

Thanks a lot for your suggestion SirDice

Best regards,
Bruno

 

[kikicekela]

Don't know how to close the post?

 

[SirDice]

Threads are only closed when they derail. The thread is marked as "Solved", which is enough to indicate the issue has been resolved while still allowing someone to respond, in case the answer isn't clear..