Re: filter problem

[Craig Johnson]

In article <jpeteet...@no-mx.forums.novell.com>, Jpeteet wrote:
> I've tried a filter like this:
> Source: Private
> Destination: Public
> Packet Type: VNC_1
> Protocol: TCP
> Src ports: 1024-65535
> Dest Ports: 9140-9143
> Stateful Filtering: Enabled
>
> Src Addr: Host
> 10.69.174.xx
> Dest Addr: Any
>
>
> For some reason this does not work.

Try setting the source ports to ALL. I have not found stateful filters
to work when setting a range of ports on both source and destination.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

[Craig Johnson]

It is actually simple, so you must be missing something somewhere.

If you use a pair of filter exceptions, one for outbound, one for
inbound, then neither should be stateful. I usally set up the reply
filter exception with ack bit enabled though, for slightly improved
security.

I am a bit unclear if you were setting up the outbound exception
calling out specific hosts, or a network address that encompasses those
hosts.

[Craig Johnson]

Personally, I would have done it this way:

VNC Cust1:
tcp
source: 1024-65535
dest. 9040
stateful/ack: none

VNC Cust1 resp
tcp
source: 9040
dest: 1024-65535
ack: enabled

Then I would have used VNC cust1 from private to public, adding either
source or destination IP addresses if I wanted to tie the traffic to
specific hosts.

Next I would use vnc cuts1 resp from public to private, usually not
tying to specific hosts (since the outbound was already doing that).

For inbound, I would add another pair, but in the reverse direction for
public/private and the IP addresses.

What you did should have worked though. I would carefully use filter
debug or pktscan to track down the problem traffic getting filtered to
see what is wrong. Offhand I'd say there must be another port involved.