On Fri, Sep 01, 2006 at 09:41:18PM +0800, mop wrote:
> Hi
>
> I have a home network set up with an OpenBSD gateway which is bridged to an
> ADSL router, two Windows XP machines and assortment of old boxes I play
> around with, and a few IP's available to me. What I want is remote access
> back to my windows boxes probably using VNC, and to be able to ssh to my
> gateway and into my network. At least one of the sites I wish to connect
> from uses a web proxy and I would have to tunnel through it.
>
> What software/techniques can people suggest, and how much of a risk am I
> exposing myself to by doing this? I have survived this far without it, but
> it would be nice to have. Can I do it without it showing up in a port scan?
I'd personally go with VNC-over-SSH; sure, it might not be as efficient
as IPsec (or even OpenVPN), but it's pretty effective and SSH is a truly
nice piece of software - to the extent that I just tried to offset this
by a point on which OpenSSH sucks, and didn't hit upon one while typing
this sentence.
Note that most everything can be tunneled over HTTP, and that there
exist implementations of IP-over-DNS. Not that VNC would be a pleasant
experience over such a link...
> Now to the pf question. My policy for everything blocked from entering the
> network is that it is dropped with no reply. I have several ports forwarded
> to my Windows box, mainly for file sharing over IRC so they are only open
> when I wish to do a DCC send. I would like to drop error messages coming
> from my windows box when those ports are closed so no one got curious as to
> why those ports replied and nothing else did.
That is best configured on the Windows box itself; it's not impossible
to do it on OpenBSD (authpf comes to mind, indeed), but there's no
reason to make things more complicated than necessary.
Joachim
