Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] vnc masqueraded
  • From: Mark Ruth <Mark.Ruth@xxxxxxx>
  • Date: Wed, 16 Jan 2002 12:06:45 +0100 (MET)
  • Message-id: <2462.1011179205@xxxxxxxxxxxxx>
Hi,

The tekneeq i used was to setup rinetd on the firewall and forward
a custom port to the internal machine that runs vnc.

That works pretty good, but opens the internal machine to the outsite.
You have to adjust ur firewall rules to ensure noone else than you
got access to this ports. Since im dialup at home i have to open the
port to a complete subnet witch aint too good. You could login to
the firewall via ssh and add ur current ip to vnc ports.=20
Im a bit lazy, so i used a dummy user that adds my current ip to the
firewall if my login to ssh succeeds. Whether the passwd user got
uid 0 or you use the .bashrc to "su root -c whateva" is not important,
i think. It provides additional security to use the su method.

Now we got external vnc -> internal vnc for exactly one computer
Since vnc allocates its port dynamically for its displays we got
a range of ports we could use to access internal machines.
That means firewall:0,1,2 would connect to different internal machines.

I personally never tought of using NAT for this, because only one
IP gets NATed to another single computer. That would limit me.

My Firewall looks like: VNC ports: 5900 Display, 5901 Display:1, ...


-----
| F | <-- 202.12.46.30
-----
1 2 3 <-- adjust with 5900 to get the port
------- | -------
| | |
| | |
----- ----- -----
| 1 | | 2 | | 3 | <-- 192.168.96.1,2,3
----- ----- -----


/* in ur case */

# cat /etc/rinetd.conf
fire.wall.ip.ex 5900 192.168.96.1 5900
fire.wall.ip.ex 5901 192.168.96.2 5900
fire.wall.ip.ex 5902 192.168.96.3 5900
#

Thatz it. Hope it helpted u.=20
Happy Hacking


---
Mark Ruth
Unix Systems Administrator
New York, ksh-2@xxxxxxxxxxxxxxx

> Hi folks,
>
> there's a tiny masqueraded lan (192.168.0.0/24) behind a firewall (suse
> 73, Susefirewall2), standard-configuration.
>
> Task: Enable remote control of the internal computers via VNC.
>
> The following already works:
>
> (1) intern <-> intern
> (2) intern <-> firewall
> (3) extern <-> firewall
> (4) intern -> extern
>
> The problem is (5) extern -> intern
>
> (currently i do a remote control of the firewall, which does a remote
> control of an internal computer, but that's pretty shitty)
>
> I do not know the right questions. Is it a firewall-, routing-, or
> masquerading-thingie? How do I address internal computers anyway?
>
> Please enlighten me.
> Thanks in advance,
> Jens
>
> --
> ---------------------------------------------------------------
> Jens Woch | woch@xxxxxxxxxxxxxx
> Dep. of Computer Science | http://www.uni-koblenz.de/~woch
> University of Koblenz | Tel.: +49 228 2611
> PF 201 602, D-56016 Koblenz | Fax: +49 261 2601
> ---------------------------------------------------------------
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

--
Sent through GMX FreeMail - http://www.gmx.net


< Previous Next >