He';s still going to need to open his 600 port though.
Thanks,
Ron DuFresne
On Thu, 18 Jan 2001, Ng, Kenneth (US) wrote:
> Allow ssh to go through instead. The user will log onto the machine via
> ssh. ssh will set the DISPLAY environment variable so that when apps are
> started up, they tunnel back to the user's workstation. On the whole I
> think this is a better way to do it if you need X. Also works great if you
> need to run through NAT.
>
> -----Original Message-----
> From: Noonan, Wesley [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 18, 2001 11:49 AM
> To: '[EMAIL PROTECTED]'
> Subject: Permiting X through a PIX
>
>
> Hello all. I need some advice from the experts around here.
>
> I have a situation where I have a PIX with 4 interfaces. 2 are inside and
> outside and 2 are considered DMZ1 and DMZ2. DMZ2 is a higher security than
> DMZ1 (thus all traffic is permitted outbound from DMZ2 to DMZ1). We have
> various machines on DMZ2 than need to access 2 servers on DMZ1 via X. For
> some reason this is not working, and unfortunately, I am not a Unix guru and
> know very little about X. My suspicion is that X requires that the target
> machine (the server) be able to send data back to the clients, which of
> course is being blocked by the firewall.
>
> Here is a little diagram
> Server2
> DMZ2----PIX----DMZ1---[
> Server1
>
> So, what I am wondering is how to proceed. I am pretty sure that X uses TCP
> and UDP 6000-6063. Based on that, one of my ideas is to setup a conduit as
> follows:
> Conduit permit tcp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.2
> Conduit permit udp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.2
> Conduit permit tcp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.3
> Conduit permit udp 172.16.0.0 255.255.255.0 range 6000 6063 host 172.16.1.3
>
> The other idea is to use the established command, but I am not very familiar
> with it's use.
>
> Any ideas? TIA
>
> Wes Noonan, MCSE/MCT/CCNA/NNCSS
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> [EMAIL PROTECTED]
> http://www.bmc.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> *****************************************************************************
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement letter.
> *****************************************************************************
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
