Q: ipchains/ipmasqadm and VNC

Bryan Pendleton bpendleton "at" mail.com
Fri, 10 Nov 2000 02:58:56 +0000

On Thu, 9 Nov 2000, Erwin Zierler - Stubainet wrote:

> after reading all avaiable documentation and searching through the
> list archives I am still not able to get VNC running like I want it
> to.

Well, though I think you may have gotten your answer, another method for
punching VNC through a *nix firewall is with rinetd. It logs (something
it's much more difficult to make ipchains do), it's kernel-independent (so
you don't have to worry about it going away or the API changing when 2.4
comes out), and it's pretty efficient.

It's also a whole lot easier to handle lots of cases for different
incoming machines.

Just a side note, that it's possible to "renumber" VNC windows. For
instance, say you've got 3 machines running WinVNC with default settings
(which means they're all using display :0). You can set up rinetd so that
they each appear with seperate distinct screen names. Ie:



Your rinetd.conf would look something like this: 5901 bigbird 5900 5902 ernie 5900 5903 bert 5900

So, outside of the firewall, you'd connect to firewall:3 to get bert,
firewall:2 for ernie, and firewall:1 for bigbird (I normally leave :0
unused, partful because it's the first place people port scan, and partly
incase anyone ever, foolishly or not, runs VNC on the firewall).

I also use this solution to handle the incoming window redirection for
"Add new client" from WinVNC and, now, the Unix code too. Since rinetd can
be given a new config without killing open sockets, I have a line like 5500 internalhost 5500
which I edit to point to whichever machine should receive the next sent
window (for support, or whatever). Change the line, HUP rinetd, and you
can have someone else take the _next_ window, without killing an open
inbound session from the first. Neat, eh? _That_ would be a nightmare with
ipchains, I assure you.

Bryan Pendleton
ICQ #2680952
Phone: (877)780-3087
"The root of all knowledge lies within, but knowledge is useless unless it is collected and shared."
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html