Hi, The tekneeq i used was to setup rinetd on the firewall and forward a custom port to the internal machine that runs vnc. That works pretty good, but opens the internal machine to the outsite. You have to adjust ur firewall rules to ensure noone else than you got access to this ports. Since im dialup at home i have to open the port to a complete subnet witch aint too good. You could login to the firewall via ssh and add ur current ip to vnc ports.=20 Im a bit lazy, so i used a dummy user that adds my current ip to the firewall if my login to ssh succeeds. Whether the passwd user got uid 0 or you use the .bashrc to "su root -c whateva" is not important, i think. It provides additional security to use the su method. Now we got external vnc -> internal vnc for exactly one computer Since vnc allocates its port dynamically for its displays we got a range of ports we could use to access internal machines. That means firewall:0,1,2 would connect to different internal machines. I personally never tought of using NAT for this, because only one IP gets NATed to another single computer. That would limit me. My Firewall looks like: VNC ports: 5900 Display, 5901 Display:1, ... ----- | F | <-- 202.12.46.30 ----- 1 2 3 <-- adjust with 5900 to get the port ------- | ------- | | | | | | ----- ----- ----- | 1 | | 2 | | 3 | <-- 192.168.96.1,2,3 ----- ----- ----- /* in ur case */ # cat /etc/rinetd.conf fire.wall.ip.ex 5900 192.168.96.1 5900 fire.wall.ip.ex 5901 192.168.96.2 5900 fire.wall.ip.ex 5902 192.168.96.3 5900 # Thatz it. Hope it helpted u.=20 Happy Hacking --- Mark Ruth Unix Systems Administrator New York, ksh-2@MarkRuth.2y.net
Hi folks,
there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse 73, Susefirewall2), standard-configuration.
Task: Enable remote control of the internal computers via VNC.
The following already works:
(1) intern <-> intern (2) intern <-> firewall (3) extern <-> firewall (4) intern -> extern
The problem is (5) extern -> intern
(currently i do a remote control of the firewall, which does a remote control of an internal computer, but that's pretty shitty)
I do not know the right questions. Is it a firewall-, routing-, or masquerading-thingie? How do I address internal computers anyway?
Please enlighten me. Thanks in advance, Jens
-- --------------------------------------------------------------- Jens Woch | woch@uni-koblenz.de Dep. of Computer Science | http://www.uni-koblenz.de/~woch University of Koblenz | Tel.: +49 228 2611 PF 201 602, D-56016 Koblenz | Fax: +49 261 2601 ---------------------------------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Sent through GMX FreeMail - http://www.gmx.net