https://bugzilla.novell.com/show_bug.cgi?id=282606 Summary: "NX-Firewall.txt" packaged with FreeNX is incomplete Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: X11 3rd Party AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: pfeifle@kde.org QAContact: sndirsch@novell.com (Remark: I acquired the FreeNX-0.6.0-25.1 RPM via the build service today) Nice job to have listed all the ports required to open in a Firewall when running an NX session to traverse it. However, the author forgot the most simple, most reliable and most secure alternative: * allow SSH connections (port 22 is standard, any other port will do too as long as ssh daemon is reached there) * select to "Enable SSL encryption of all traffic"; it will not need any additional port to be opened. You need to open port 22 (or whereever sshd is waiting) in any case anyway. And if there is a strict firewalling policy in place, users will have difficulty to ask for dozens of more open ports to run their NX sessions. So here's a patch for that README, to be inserted right at the beginning: ----------------- snip ------------------------------------------------------ "If you need to traverse a firewall when connecting to an NX or FreeNX server, for initial login you need to connect the the SSH daemon on that server. SSH by default runs on port 22 (but this may be changed by the respective admin, or additional ports may have been added). If your NX client does support a session option like 'Enable SSL encryption for all traffic", and you use that, then you are done. The NX session will only use that single port and direct all its other traffic through that SSH channel. 'Enable SSL encryption of all traffic' is the recommend way to run remote sessions through firewalls. If (for whatever reason) you can not use that mode, you need to open many more ports on the firewall. In addition to that loss of security, your remote session will not be encrypted either. Details follow now." [then continue similar to what it is now...] ----------------- snip ------------------------------------------------------ Please, please, please update this README ASAP! It is not good to advice users to open more ports in their firewalls than they need to in order to run secure remote NX sessions. :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.