Shorewall users - Jun 2003 - Hummingbird Exceed

Hello ,
I installed Shorewall on a linux RedHat 8.0.
No problem , it works very well.
I have two interfaces:
eth0 : 193.95.47.194 , mask 255.255.255.192 gateway : 193.95.47.193
dns: 193.95.66.10
eth1 : 192.168.54.250 mask 255.255.255.0  (no gateway)

all computers in my local network have ip addresses 192.168.54.xx ,
gateway: 192.168.54.250 , dns:193.95.66.10
almost 100 local machines using microsoft windows (98,2000 and xp)

i have some unix and linux machines  on the net zone (ip address
:193.95.47.195-193.95.47.254) gw:193.95.47.193
(hpux, aix, sun , scolinux and redhat8.0 ).
My problem now , the local computers use Hummingbird Exceed to have the
xwindow.
i have no idea what to do to make xwindow working.
can you help me to resolve this problem , thanks a lot.

NB : (the internet provider will soon change my mask from
255.255.255.192 to 255.255.255.240
         that''s enough for me to put my servers on the net zone , i
will
put them in  the dmz zone later.)
Wahid Belhaouane

> -----Original Message-----
> From: Wahid Belhaouane
> Sent: Saturday, June 28, 2003 6:37 AM
> Subject: [Shorewall-users] Hummingbird Exceed
> 
> 
> Hello ,
> I installed Shorewall on a linux RedHat 8.0.
> No problem , it works very well.
> I have two interfaces:
> eth0 : 193.95.47.194 , mask 255.255.255.192 gateway : 193.95.47.193
> dns: 193.95.66.10
> eth1 : 192.168.54.250 mask 255.255.255.0  (no gateway)
> 
> all computers in my local network have ip addresses 192.168.54.xx ,
> gateway: 192.168.54.250 , dns:193.95.66.10
> almost 100 local machines using microsoft windows (98,2000 and xp)
> 
> i have some unix and linux machines  on the net zone (ip address
> :193.95.47.195-193.95.47.254) gw:193.95.47.193
> (hpux, aix, sun , scolinux and redhat8.0 ).
> My problem now , the local computers use Hummingbird Exceed 
> to have the
> xwindow.
> i have no idea what to do to make xwindow working.
> can you help me to resolve this problem , thanks a lot.
You have not mentioned how you are configuring Hummingbird (xdmcp or ssh
tunnel). I''m assuming XDMCP. With that in mind, the following rules are
what
I added to my firewall for X access from zones loc->dmz. (change dmz to net)

ACCEPT          loc             dmz             udp     xdmcp
ACCEPT          dmz             loc             tcp     6000:6009

Your situation is different since your accessing systems in the net zone
with public ip addresses. The ports will be the same, but you will probably
have to deal with DNAT issues for ports 6000:6009. i.e.

1) Hummingbird sends an XDMCP to a system in net zone. (masqueraded)
2) System in net zone starts an X session back to calling system. (firewalls
external IP)
3) Firewall needs to know which system to DNAT the session request (in step
2) to in the local zone.

The last step could get tricky if you have multiple systems in the local
zone accessing multiple servers in the net zone. If I were in your shoes, I
would configure Hummingbird to use an ssh tunnel until I moved these systems
to a DMZ zone.

Also, if your shorewall policy is set to ACCEPT for loc->net, then you
don''t
need the first rule.

Steve Cowles

On Sat, 2003-06-28 at 05:49, Cowles, Steve wrote:
> 
> The last step could get tricky if you have multiple systems in the local
> zone accessing multiple servers in the net zone.
That problem is actually unsolvable. Hummingbird is an X *server* --
hence as Steve points out, your *nix boxes will be attempting TCP
connections to these servers using the external IP address of your
firewall. Your firewall will have no clue as to which of the 100 Windoze
boxes to forward the request to.
> If I were in your shoes, I
> would configure Hummingbird to use an ssh tunnel until I moved these
systems
> to a DMZ zone.
That''s the only way to make it work.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net