From: Cowles, Steve <Steve@SteveCowles.com> - 2003-06-28 12:50:06
> -----Original Message-----
> From: Wahid Belhaouane
> Sent: Saturday, June 28, 2003 6:37 AM
> Subject: [Shorewall-users] Hummingbird Exceed
> Hello ,
> I installed Shorewall on a linux RedHat 8.0.
> No problem , it works very well.
> I have two interfaces:
> eth0 : 22.214.171.124 , mask 255.255.255.192 gateway : 126.96.36.199
> dns: 188.8.131.52
> eth1 : 192.168.54.250 mask 255.255.255.0 (no gateway)
> all computers in my local network have ip addresses 192.168.54.xx ,
> gateway: 192.168.54.250 , dns:184.108.40.206
> almost 100 local machines using microsoft windows (98,2000 and xp)
> i have some unix and linux machines on the net zone (ip address
> :220.127.116.11-18.104.22.168) gw:22.214.171.124
> (hpux, aix, sun , scolinux and redhat8.0 ).
> My problem now , the local computers use Hummingbird Exceed
> to have the
> i have no idea what to do to make xwindow working.
> can you help me to resolve this problem , thanks a lot.
You have not mentioned how you are configuring Hummingbird (xdmcp or ssh
tunnel). I'm assuming XDMCP. With that in mind, the following rules are what
I added to my firewall for X access from zones loc->dmz. (change dmz to net)
ACCEPT loc dmz udp xdmcp
ACCEPT dmz loc tcp 6000:6009
Your situation is different since your accessing systems in the net zone
with public ip addresses. The ports will be the same, but you will probably
have to deal with DNAT issues for ports 6000:6009. i.e.
1) Hummingbird sends an XDMCP to a system in net zone. (masqueraded)
2) System in net zone starts an X session back to calling system. (firewalls
3) Firewall needs to know which system to DNAT the session request (in step
2) to in the local zone.
The last step could get tricky if you have multiple systems in the local
zone accessing multiple servers in the net zone. If I were in your shoes, I
would configure Hummingbird to use an ssh tunnel until I moved these systems
to a DMZ zone.
Also, if your shorewall policy is set to ACCEPT for loc->net, then you don't
need the first rule.
From: Tom Eastep <teastep@sh...> - 2003-06-28 13:58:30
On Sat, 2003-06-28 at 05:49, Cowles, Steve wrote:
> The last step could get tricky if you have multiple systems in the local
> zone accessing multiple servers in the net zone.
That problem is actually unsolvable. Hummingbird is an X *server* --
hence as Steve points out, your *nix boxes will be attempting TCP
connections to these servers using the external IP address of your
firewall. Your firewall will have no clue as to which of the 100 Windoze
boxes to forward the request to.
> If I were in your shoes, I
> would configure Hummingbird to use an ssh tunnel until I moved these systems
> to a DMZ zone.
That's the only way to make it work.
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@...