Hello all.
I know this have been mentioned a few times in the past,
but I am still unable to make it work and was wondering
if anyone had any further tips.
The scenario is such:
When using SR, I'm having some trouble getting X11 through
a FW-1 4.0 box (solaris) from a hide NAT'd machine. The setup
is as follows:
SR Client <-> I-Net <-> FW-1 <-> NAT'd Unix Box
So, I authenticate via SR with FW-1 fine. I then telnet
to the Unix box and set my DISPLAY to the SR client's IP
address. I then try and open any X client, say xclock.
It hangs for a while and eventually times out.
I'm using encapsulated FWZ for SecuRemote.
The log viewer shows the packets getting accepted fine.
If the setup is as such:
SR Client <-> I-Net <-> FW-1 <-> Non-NAT'd Unix Box
Everything works fine.
I've tried Patrick Vanbeggelaer's suggestion of:
1. Replace the 'X11' service by a new service, called, for instance,
'myX11', that is defined as follows:
The service should be of type 'other' (user-defined), and should include
the line below as its match field:
tcp,dport>=6000,dport<=6063,<dst,0> in userc_rules
2. Add a rule which accepts connections from X Client to X servers with this
service:
X server ------ X Client ----- myX11 ------ Accept
This means that only X11 connection to machines which have an open
SecuRemote session with this FireWalled gateway will be allowed.
The definition of this service could be generalized to all services
initiating a back connection to the SecuRemote Client.
But, it doesn't seem to do the trick.
Does anyone have any further tips? Maybe I've missed something?
I've searched all the usual places but haven't really come up
with anything else.
TIA...
-----
Kirk M. Vogelsang <[EMAIL PROTECTED]>
Northeastern University College of Computer Science
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
