Tom Eastep wrote: > Roberto C. Sánchez wrote: > >> On Thu, Jan 31, 2008 at 10:22:21PM +0100, Krzysztof Lew wrote: >> >>> Hi, >>> >>> I've 2 interfaces setup: >>> >>> gateway(x.y.z.233) <-> (x.y.z.234)[eth3] ROUTER [eth4](192.168.3.1) <-> LAN >>> >>> I've NAT running on router and also some Routed IP address mapping to few >>> internal machine, eg.: >>> x.y.z.236 <--->192.168.3.236 >>> x.y.z.237<---->192.168.3.237 >>> >>> Our client allows us to connect to his machine throught Internet via VNC, >>> but >>> only from our ROUTER external IP x.y.z.234. >>> >>> But i want to have access to from anywhere from Internet. >>> > > Kryzysztof: You realize that giving yourself that access goes against the > expressed wishes of your client, do you not? > > This was actually quite surprising, any consultant of ours that attempted this would very quickly find themselves deep in the poo. Our legal department would be on his case within an hour of the discovery, and needless to say he would never be allowed to access our systems again. >>> So i think i need to connect with VNC to my server, which should redirect >>> this >>> connection to my client machine. >>> But i couldn't find hint in shorewall documentation :( >>> Can you please help me with link, document, etc? >>> >>> >> What you want to accomplish is completely orthogonal to Shorewall. >> > > Although what Krzysztof asks _could_ be accomplished with Shorewall, the > Shorewall-based solution would be open to all internet users. So Krzysztof > would be subverting his own client's security measures; that's not the way > to keep happy clients. > > The solution that Krzysztof implements (if he implements any at all) should > require strong authentication of the VNC client user by the proxy. > The only working solution that would provide what he needs, _and_ not violate his customers requirements would be for him to connect to a PC within his own network, and then start a new connection from there to his clients machine.
Anything else could place his client in breech of any number of compliance codes, and could compel him to get SAS-70 audit is SOX is involved. T ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
