Re: pf + vnc problem

["Joseph C. Bender" <jcbender@benderhome.net>]

At 07:28 AM 06/13/2003 +0200, johansz@free.fr wrote:
>Thanks Dirk...
>... but even with this flag i can't get rdr to work ...
>I think i 'll become mad :p
>I remember i had strange problem like that with an old network card 
>i think i will change it and see ...
>
	I'm willing to bet that changing the network card probably won't fix it.

Couple of suggestions:

1.  Strip that ruleset down to the BARE essentials, and build it back in,
line by line until something breaks.  Get rid of 15,16,17 for now.  This
includes scrub.  Your ruleset seems massively complex for what it needs to
be.  I don't think you need half the rules that are defined there.

2.  Are you trying to test the rdr from *inside* the network?  That wasn't
too clear.  It probably won't work that way anyway, so you should be
testing this from outside the network.

3.  Rule @3 should probably be "pass out" instead of pass in.

4.  @13 and @14 are negated by @20 and @21.  You either need to change the
rule-flow, or add quick.  If I'm parsing that correctly, state will NOT be
kept, and that may be what's messing you up.

5.  I highly recommend using SSH-tunneling *with compression* for moving
VNC traffic across the public internet.  For one, after auth, all
keystrokes and screen updates are in the clear.  Two, the compression
MASSIVELY improves standard VNC performance (Obviously not if you're using
tightvnc's zlib compression) across a slow ADSL uplink.  Three, you don't
have to use a redirect anymore.



Signing off, 

--
Joseph C. Bender
jcbender at benderhome dot net