Limiting winvnc incoming connections

ufer ufer "at" klinikum-goerlitz.de
Thu, 11 Nov 1999 15:47:03 +0000 

thank you very match
the problem was solved with
the registry-entry
AuthHosts="-:+172.16.4.21:"

Ask: it is possible to use VNC over 2 router ?
       TCP/IP is available (ping works),
       is a additional protocol required ?



James \"Wez\" Weatherall schrieb:

> > Yes, I've tried "-:127.0.0.1" and "-:127.0.0" as AuthHost filters.  As
>
> The above won't work at all, since the + is missing.
>
> > I said, I had to disable LookbackOnly, yet I had to enable
> > AllowLoopback.  That's the puzzle.  If I have to enable AllowLoopback,
> > then it means the server at one point thinks the connection is coming
> > in from the loopback interface (or it's misnamed and is simply
> > checking that it comes from the same box).  I know there is a SEPERATE
> > loopback interface in most systems.  If AllowLoopback is required to
> > service all local connections (not just on the loopback interface),
> > then it should be renamed "AllowLocal".
>
> Good point.  AllowLoopback is automatically enabled when LoopbackOnly is
> set.
>
> > Perhaps I wasn't explicit enough.  sshd is running on the same box as
> > the vnc server.  A netstat shows the following
> >
> > Active Connections
> >
> >   Proto  Local Address          Foreign Address        State
> >   TCP    NT_Box:1026             localhost:1028         ESTABLISHED
> >   TCP    NT_Box:1028             localhost:1026         ESTABLISHED
> >   TCP    NT_Box:22               my.unix.box:1023       ESTABLISHED
> >   TCP    NT_Box:1432             NT_BOX:5900            ESTABLISHED
> >   TCP    NT_Box:5900             NT_BOX:1432            ESTABLISHED
> >
> > So, it looks like the sshd->winvnc connection is not going across the
> > loopback after all.
>
> Yes, I think you're correct there.  The point I was making is that when you
> put in a local forward with SSH, you shouldn't have something like
> "ssh -L5999:nt_box:5900 nt_box" from the remote box - ytou should have
> "ssh -L5999:localhost:5900 nt_box", to make sure that the SSHD daemon on the
> server machine uses the loopback interface.
>
> Cheers,
>
> James "Wez" Weatherall
> --
>           "Xenophobes should go back to Xenophobia"
> Laboratory for Communications Engineering, Cambridge - Tel : 766513
> AT&T Labs Cambridge, UK                              - Tel : 343000
>
> ---------------------------------------------------------------------
> The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------


---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------