How to not bind to local NIC?

Roby Van Hoye deroby "at" mail.dma.be
Mon, 28 Feb 2000 17:06:46 +0000 

Fearing to go largely off topic : (oh, well, it contains /some/ info on vnc :)

Sybergen's Sygate software does the trick (among many others I suppose)

(using V3.1) I can both transfer the internet packages from & to the
inter/intranet and still run the WinVNC service at the same time. 

Connecting to the gateway's IP using VNCViewer gives me the gateway's
screen. If I turn off the WinVNC server on the gateway, the connetion to
5900 is forwarded to the intranet and (according to the rules set)
connnects to an intranet pc. 

(clearly I'll set the rules to forward connections to eg. 5901 to be
transferred to pc001:5900, connections on 5902 will go to PC002:5900 etc..
thus allowing me to connect to the gateway on 5900  and connecting to the
intranet pc's on 5901, 5902, etc...)

For those now happilly thinking about a major port scan on my IP : be my
guest :)

Cu
Roby


At 09:00 28/02/00 -0700, Adam Malejko wrote:
>Okay, let me clear this up a little bit. Yes, Arnt and I have discussed
>ways of disabling one NIC before, and come to no conclusions.
>
>So, I started reading through the WinVNC source to see what the problem
>was. Well, I don't know what the problem is. My problem was Microsoft's
>Internet Connection Sharing (ICS) disabling VNC somehow. To a further
>extent, if ICS is enabled, it seems to even kill ICQ file transfers so
>that they won't get through..... bizarre, yet off topic.
>
>So what *I* wanted was a way of having VNC not bind to the local NIC,
>and what I think Arnt was going for was having VNC not bind to the
>external NIC. Either way, it's somewhat the same problem. Currently, if
>I want to use VNC with ICS installed, I have to disable it (simple
>right-click), otherwise I can't connect from work, school or wherever I
>am. However, this does make it so any of my other PC's can't access the
>Internet unless they're on the main dual-homed PC. Make sense?
>
>So I was trying to get VNC changed so that it would only bind to one
>(either one right now.. although a choice would be even better!). Is
>this or is this not possible James?? If it is, please enlighten me, and
>if it's not, well let me know as well
>
>Either that or I just need to install a better proxy that works as well
>as ICS, yet works with VNC and is as transparent as ICS.
>
>Hope this helps,
>-Adam
>
>
>----- Original Message -----
>From: "James (Wez) Weatherall" <jnw22 "at" cam.ac.uk>
>To: <vnc-list "at" uk.research.att.com>
>Sent: Monday, February 28, 2000 4:45 AM
>Subject: Re: How to not bind to local NIC?
>
>
>> James,
>> I don't see what you are saying here, do you mean that binding to only
>one
>> nic will never be possible?
>
>No.  That's not what I'm saying.
>
>> Then why does the possibility even exist in sockets?
>> Also, MS IIS (as an example, not one i particularly like, but anyway)
>does
>> this just fine, resulting in a port not being opened on the external
>nic
>(so
>> that e.g. a portscan to it does not show anything running on port 80).
>
>That's not what you asked for.  You were trying to disable the local
>loopback NIC but leave the external one enabled, not the other way
>around.
>
>> And lastly, in NT, in the tcp/ip properies, you can specify wether you
>want
>> IP forwarding or not, so I'd be surprised if a nic driver would
>somehow
>> decide to do this anyway, all by itself...
>
>It has nothing to do with IP forwarding.
>
>> PS: The main reason why you'd want (and why I want this very much) to
>is
>to
>> make sure no one takes down or takes over your machine through an
>unchecked
>> buffer or other error in the connection part that happens before vnc
>> terminates the connection. Also, you might simply not want to give
>away
>the
>> fact that you are using vnc, and this does prevent any spoofing
>attacks
>> trying to make it look like you are connected to an allowed ip
>adress...
>
>You said you wanted to prevent connections from the local loopback NIC
>but
>enable them from an external network NIC.  Neither of the above
>arguments
>applies to that situation.  Both arguments apply to the exact opposite
>case,
>in which _only_ loopback NIC connections are allowed and remote NIC
>connections are not, which WinVNC can already do.
>
>Cheers,
>
>James "Wez" Weatherall
>--
>          "Xenophobes should go back to Xenophobia"
>Laboratory for Communications Engineering, Cambridge - Tel : 766513
>AT&T Labs Cambridge, UK                              - Tel : 343000
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, send a message with the line: unsubscribe vnc-list
>to majordomo "at" uk.research.att.com
>See also: http://www.uk.research.att.com/vnc/intouch.html
>---------------------------------------------------------------------
>
>
>---------------------------------------------------------------------
>To unsubscribe, send a message with the line: unsubscribe vnc-list
>to majordomo "at" uk.research.att.com
>See also: http://www.uk.research.att.com/vnc/intouch.html
>---------------------------------------------------------------------
>
>
Cu
Roby.


---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------