[ale] VNC (Was: Java on VNC display)

Joe Knapka jknapka at charter.net
Sun Jul 25 14:30:37 EDT 1999


I use the port forwarding built into ssh.

To VNC from home (myhost) through my local firewall (lfw), through
the firewall at work (wfw), to the PC in my office running VNC
(vnchost), I do this:

# (1) Set up an SSH connection from lfw to wfw, with forwarding
# from wfw to vnchost's VNC port.
myhost% telnet lfw
... # Password, etc...
lfw% ssh -g -l <wfw_user> -L 5910:vnchost:5900 wfw
... # Password, etc...

# (2) Then, from a separate command line on myhost, point
# a viewer at the forwarded port.
myhost% vncviewer lfw:10

Now, since my local firewall is masquerading for myhost, the
initial telnet is not strictly necessary - I could just start
ssh on myhost and then point the vncviewer at localhost:10.
However, the method outlined above works for any local firewall,
whether it's masquerading or not. I can do the same trick to
get from vnchost back to myhost, by simply reversing the
roles of (lfw<-->wfw) and (myhost<-->vnchost).

Another thing I do is that on lfw I have the firewall
configured to only accept connections to the local
VNC ports (5900-5999) from the local network. Thus,
some random hacker poking at lfw doesn't see the VNC
server I keep running as display 0, but I can still
get to it securely from outside via ssh, since
forwarded ssh connections appear to originate on the
machine running the ssh server. It also prevents
(in the scenario outlined above) an intruder from
opening a connection to lfw:5910 and seeing the
VNC desktop of the PC inside my employer's network!

-- Joe

Jeff Dilcher wrote:
> 
> How are you getting through the fire wall at work?
> Do you do some kind of tunneling, or port forwarding on the work side?
> 

-- Joe Knapka
* I speak only for myself, except when the little transceiver
* at the base of my skull is activated...






More information about the Ale mailing list