How can the firewall know if it is supposed to answer port 22 or forward it to your internal machine? The firewall is already responding to port 22 from the Internet and the local network. It cannot also forward it.Message: 1 Date: Wed, 11 Jun 2003 23:26:16 +0200 From: Patrick Benson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Shorewall Rules and TightVNC
I would also suggest the same option Lars proposed, use ssh and portforwarding with ssh acting as the tunnel. Some of the advantages are disabling passwords and using RSAauthentication which can be configured in your sshd_config file, averting the password cracking problem. A properly configured sshd_config file is a powerful complement for your security setup. Another advantage is that you will only be using the ssh port for the connection, instead of opening the standard vnc 5800,5900 ports..and you can use the compression option as well. There's a pretty good tutorial at the realvnc site on how to go about it:
http://www.uk.research.att.com/vnc/sshvnc.html
Regards,
--
Patrick Benson
Stockholm, Sweden
Good day Patrick and Lars,
As I am fairly new to this, I would appreciate a bit more help. I did read the article above and a few others but I am not 100% sure that I am doing everything correct.
I have sshd 3.4p1 OpenSSH sshd daemon installed and I have created the keys. I can access the fw using putty from both loc and from net Something that bothered me was the fact that when I connected from the net all I had to do was trust the connection to be accepted then I logged on as root provided my password and I was at the lrcfg screen.
I looked at the sshd server system wide configuration file but did not know what to change to prevent just anyone from logging on.
Also for rules in shorewall I have
ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22
do I add
ACCEPT net loc tcp 22
I want to use the web based TightVNC client on the net to connect to the TightVNC server on loc. Can this be accomplished using port forwarding ?
I would normally type http://xxx.xxx.xxx.xxx:5800 in a web browser to connect to the TightVNC server. Would I specify port 22 here instead of port 5800?
Any help is appreciated.
Best Regards, Darcy Parker
You have two choices.
1. Configure your ssh VNC tunnel to use another port - say port 24. Add the shorewall configuration for that port.
2. Configure /etc/ssh/sshd_config to respond to a different port. You would also have to configure your ssh client program to use that port when connecting to the firewall. Change the two rules above to the tcp port that sshd answers on.
--
Victor McAllister
------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
