thanks everyone for your responses. one thing that i was definitely doing wrong was that i was typing localhost:5903 instead of localhost:03. its been a while since i have used vnc and i did get rusty!i am not able to connect to a vnc-server thats running behind the firewall. i know that the vncserver is running because i can open vncviewers from other clients behind the firewall. but when i ssh to the gateway from [EMAIL PROTECTED] with the -L 5903:vncserver:5903 option and forward from the gateway to the vncserver using another ssh -L ..., i am not able to connect to the vncserver at port 5903 on localhost. with a RealVNC viewer, i get an error like "channel 2 or 4: administratively prohibited" and with
You haven't said how you try to connect to your localhost on port 5903, but I use localhost:1, localhost:2, localhost:3 etc. Are you using the session number ?
M
about the ICMP filtering, here's an excerpt from the "stronger rc.firewall example - 2.4.x" from the Linux IP Masquerade website.
# external interface, from any source, for ICMP traffic is valid # # If you would like your machine to "ping" from the Internet, # enable this next line # #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
by default ICMP traffic is disabled and when i setup a firewall in our research lab about 3 years back, thats how i left it. our research machines were open on the internet when we got a series of nasty infiltration attempts. i could not figure out why someone would do that with research computers in the university system. anyways we had years of valuable research data on the machines that were being compromised, so i (having got nothing to do with networking or administration) read about and setup this gateway/firewall. i was aware that disabling ICMP would keep outside machines wondering whatever happened to their traffic. but if thats what it takes to keep out some guy who runs a "find-all-live-hosts" discovery script (thats how most of the machines in our university system were hacked into), then we have to do it. our tech guys really don't bother about research networks. but really if there is a more effective mechanizm to keep intruders from knowing whether a hack-candidate exists, i would be more than willing to do that.
-kp
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
