Allow ssh to go through instead. The user will log onto the machine via
ssh. ssh will set the DISPLAY environment variable so that when apps are
started up, they tunnel back to the user's workstation. On the whole I
think this is a better way to do it if you need X. Also works great if you
need to run through NAT.
-----Original Message-----
From: Noonan, Wesley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 11:49 AM
To: '[EMAIL PROTECTED]'
Subject: Permiting X through a PIX
Hello all. I need some advice from the experts around here.
I have a situation where I have a PIX with 4 interfaces. 2 are inside and
outside and 2 are considered DMZ1 and DMZ2. DMZ2 is a higher security than
DMZ1 (thus all traffic is permitted outbound from DMZ2 to DMZ1). We have
various machines on DMZ2 than need to access 2 servers on DMZ1 via X. For
some reason this is not working, and unfortunately, I am not a Unix guru and
know very little about X. My suspicion is that X requires that the target
machine (the server) be able to send data back to the clients, which of
course is being blocked by the firewall.
Here is a little diagram
Server2
DMZ2----PIX----DMZ1---[
Server1
So, what I am wondering is how to proceed. I am pretty sure that X uses TCP
and UDP 6000-6063. Based on that, one of my ideas is to setup a conduit as
follows:
Conduit permit tcp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.2
Conduit permit udp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.2
Conduit permit tcp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.3
Conduit permit udp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.3
The other idea is to use the established command, but I am not very familiar
with it's use.
Any ideas? TIA
Wes Noonan, MCSE/MCT/CCNA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
