From owner-freebsd-questions Mon Nov 18 17:59:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABC5637B401 for ; Mon, 18 Nov 2002 17:59:54 -0800 (PST) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72E4743E88 for ; Mon, 18 Nov 2002 17:59:50 -0800 (PST) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 566FE10112; Mon, 18 Nov 2002 17:59:40 -0800 (PST) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with ESMTP id 2FF7FAA8F; Mon, 18 Nov 2002 17:59:39 -0800 (PST) Message-ID: <3DD99B09.3040406@pantherdragon.org> Date: Mon, 18 Nov 2002 17:59:37 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Murat Bicer Cc: Doug Poland , freebsd-questions@FreeBSD.ORG Subject: Re: Secure tunneling of remote-access Windows sessions? References: <20021118223957.63187.qmail@web13103.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Murat Bicer wrote: > If remote address is not routable you will not be able to access it > anyways. So you have to either open port 22 on the firewall of the > remote machine which will be natted to the internal ip:port or you > have to open port 5900 ( which is not secure). Either way you have to > punch a hole on the firewall if you need to access non-routable > addresses. Maybe I'm not understanding what you're trying to explain, or maybe I'm not explaining myself well enough. I know this is possible when public IPs are used. What I'm trying to determine (before I spend the time and money to reconfigure gateway2) is if this is possible when the VNC client and server machines aren't directly accessible from the public internet because they're behind NAT'ing gateways. The SSH tunnel gets me through the firewall via the ssh port on gateway2. Local only sees and uses the faked VNC port on gateway1. Assuming local can reach the faked port on gateway1 and gateway2 can reach the actual port on remote, do the IP addresses used even matter? Darren Pilgrim wrote: > Doug Poland wrote: >> Darren Pilgrim said: >> >>> I want to setup VNC on some Windows machines so I can access them >>> over the internet, but I need to secure the connection in a way >>> that will work with NAT'ing firewalls on both ends of the >>> connection. How can I do this? I was thinking of setting up a >>> tunnel between the two >>> firewalls. On the local end, the tunnel starts at a given port on >>> the firewall, which is connected to a port on the remote firewall >>> that forwards to the VNC port on the remote machine. How would I >>> go about doing this? Is there a better option? >>> >>> >> >> I recommend you use the TightVNC form of VNC. Read the info on this >> link: http://www.uk.research.att.com/vnc/sshvnc.html then read the >> ssd man page paying close attention to the -L switch. If you have >> particular problems after this leg work, then ask again. > > > Okay, I see how I can use ssh/sshd running on the FreeBSD gateways on > each end of the connection to make the remote VNC port accessible via a > port on the local gateway. However, their setup requires that the > remote machine have a routable IP address, doesn't it? Modifying the > model on the page you sent me: > > local machine (me) ----- gateway1 > 10.2.3.4/24 `ssh -g -L 5900:10.1.2.3:5900 gateway2` > runs vncviewer | > internet > | > gateway2 ----- remote machine > running sshd 10.1.2.3/24 > running vnc server > on port 5900 > > Since the IP address I'm forwarding is non-routable, what happens? What > happens to the source IP address, which is also non-routable and, to > gateway2, non-local? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message