Firewall/NAT issues with X-Server w/ SSH forwarding
I've got a client who wants some help with some of their Unix boxes and although I've done some limited testing with SSH access to local Linux boxes, I'm hoping someone can help me with firewall and NAT issues (firewall at the client end; NAT between Internet and my LAN).
Besides the port 22 for SSH, is there more to it than that? When I run an X-Server against my Fedora and Red Hat boxes, I use XDMCP and that uses a number of ports, I believe. If I connect and use the X Forwarding setting on the SSH client then start xterm, it seems like the SSH stack is handling all the traffic (routing it to the right ports). I really need to be able to tell the client's IT folks what ports they need to open through the firewall for my IP address and so forth. And, if there's configuration I need to do on my NAT setup, I need to know what that would be.
(A side question, am I better off just using an XDMCP with an XDM authorization file? But that still leaves all the traffic after authentication/authorization open to snooping, right?)
The product I'm using is WinAxe+ which appears to do SSH forwarding on my local environment without too much fuss. Their web site and on-line help has some (to me at least!) pretty obscure stuff about how this is supposed to work (the info's all spread out and not in a cookbook form).
At any rate, here's some stuff that might apply:
You can set up ports that specifically take traffic coming from a local port and direct it to a given port on the remote machine (and vice-versa), but then it says things like this about a checkbox labeled X Forwarding:
"This check box specifies whether X11 connections will be automatically redirected over the secure channel. This feature allows X Window traffic between the X server and X client (forwarding X Window packets through the SSH session) to be encrypted."
Now, this seems to work (as far as I can tell for stuff inside my LAN)--I haven't got an entire GUI environment to start up in the X-Server, but that's another post.
In another place, I find this:
"enable the Use SSH Forwarding check box. In the SSH1/SSH2 mode, the "Dynamic Port Forwarding" feature of the Telnet_SSH/SSH1 or Telnet_SSH/SSH2 Client and XServer will automatically be used, so you need not set up any port forwarding manually."
So, maybe I don't need any forwarding? The SSH client on my local box and the SSH server on the other end are handling it for me...?
Anyone out there who knows anything about this mess?