vnc to vino on f17 - docs on firewall changes?

[egi4fedora]

I spent several hours getting a VNC connection to vino on a fresh install of f17. I set Desktop Sharing Preferences on f17, but could not connect from tightVNC on Windows 7. My tightVNC on Windows 7 returned error: "A socket operaton was attempted to an unreachable host." I could ping from Window 7 to f17 successfully.

I finally figured out that I needed to allow port 5900 in Firewall Configuration on f17. This is unlike my experience installing tightVNC on Windows 7: the installer modified the firewall to allow connection.

My question is: was there a guide or FAQ that could have let me know that a manual modification to the firewall would be required in order to use vino?

If I can find a guide that will tell me that, I feel I may find answers to many other questions I have.

[droidhacker]

All incoming connections need to be granted permission to get through the firewall WITHOUT EXCEPTION.
If wondoze let this happen automatically, it either wasn't running a firewall AT ALL, or it indicates the most extreme of security vulnerabilities. If an application you WANTED to have listening could modify the firewall configuration to accept connections, then a malware you did NOT want to let listen could also do this.

The purpose of a firewall is to prevent outside connections into services that ARE listening, in the event that you don't really WANT those services to be listening. If all listening ports are 100% wanted by you, the firewall would serve no purpose.

Hence, wondoze firewall is completely worthless garbage.

[egi4fedora]

Thanks. I'm looking for a book, guide or tutorial that contains the design philosophy you describe. The closest I've found so far is "Fedora Essentials" from Techotopia. That has a section on Firestarter that may help me understand how to properly configure my firewalls. It looks like Firestater has a log that may have helped me see my failed connection.

Any other suggestions for books or guides where I could have picked up the philosophy that I should expect to hunt down port numbers and create firewall entries when I install programs that listen to for network traffic?

[Doug G]

You have to look in the application to find the tcp port number it uses. One place you could find the vnc port number is here: http://en.wikipedia.org/wiki/List_of...P_port_numbers , although I run VNC on a non-standard port so the list wouldn't help me.

The windows firewall is quite good, and installing tightvnc doesn't create any security holes. Windows firewall has a feature that I don't think is in linux, you can allow incoming connections by program file name regardless of port. This is what TightVNC configures with it's installer, it tells the windows firewall to allow connections to tvnserver.exe. I find this reature handy since I regularly use different vnc port numbers and I don't have to diddle with firewall port settings when I change my vnc server from port 5902 to 5911.

You may want to get a little familiar with nmap to help you identify open ports on a system. Also http://www.grc.com has an on-line scanner that will tell you what ports are open on the computer you use to visit their site. Plus there is a lot of generally useful information on that site.

When you have routers and external firewalls in your network you also need to understand port forwarding to allow connections from outside that device.

[egi4fedora]

Thanks for the nmap suggestion and the ShieldsUp scanner. I'm learning a lot from Zenmap running from the BT5-R3-BH iso I picked up in Vegas last week. Using the ShieldsUp and Zenmap, I can compare my external WAN and internal LAN exposure.