From: Paul S. <pa...@gl...> - 2003-04-15 14:34:53
|
Maybe to clarify: The DNAT entry he had in the rules file will open up his server without the need for ssh. Unfortunate for him that it also opens it to the world (please use an IP restriction). Example: DNAT net loc:192.168.x.x tcp - 5900 That creates a wide open VNC server which you can connect directly to via vnc-viewer. DNAT net:x.x.x.x loc:192.168.x.x tcp - 5900 Restricts access to the port to x.x.x.x as well as opening it up for the end user from address x.x.x.x Now, if you're using ssh to connect to the firewall, you do not need this entry. You can use ssh's port forwarding feature while connected to the firewall. (from 'man sshd_config') AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is ``yes''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. The default is yes. If the VNC server is on 192.168.x.x then the firewall has to be allowed to talk to the local machine (this is only if you're using ssh forwarding). ACCEPT fw loc:192.168.x.x tcp 5900 -P On Tue, 15 Apr 2003 10:13:26 -0400 (EDT) "Jayel" <ja...@ex...> opened up to us and said: > Sorry for this reply as it's "out of place". I haven't used mailing > lists for years. :) --------------------------------- Anyway, I read > Paul's reply but I'm clarification on 2 things. "Then, if you're > using port forwarding, you need to be sure that it'sallowed in your > sshd config." I had a look at /etc/ssh/sshd_config. I can't find > anything that resembles port forwarding. I looked at "man sshd"and > nothing there. Is Paul suggesting that I don't use "DNAT"? It seems > DNAT and the ssh method are two methods of VNCing. Thanks Jayel > > _______________________________________________ > Join Excite! - http://www.excite.com > The most personalized portal on the Web! > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm -- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pa...@gl... [ The information transmitted is intended only for the addressee ] [ and may contain confidential, proprietary and/or privileged ] [ material. Any unauthorized review, distribution or other use ] [ of or the taking of any action in reliance upon this information ] [ is prohibited. If you received this in error, please contact the ] [ sender and delete or destroy this message and any copies. ] |