Can I kindly prevail upon a knowledgeable person here to help me learn how to set this up while maintaining security?

Thank you!

a

Maybe this thread will help?
Looks similar to your situation.
https://discussions.apple.com/thread...art=0&tstart=0

Assuming this is your wireless network, this means that you have a router*, and there is no point in having both a router and a firewall - the router is actually better. So unless you are expecting to be hacked from inside your house you can turn the firewalls off.

* do all of your computer's IP addresses begin with 192.168?

May I interrupt for a more detailed explanation of this? I would have thought a secured router along with the built-in OS X firewall would be a good combination, and you seem to be saying that's not a better setup than a secured at-home router.

As I understand it, NaOH, the machines within a LAN are protected from fiddling by the router's network address translation (NAT) from the exposed router address to private addresses in the ranges: 10.0.0.0 - 10.255.255.255,
172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255 with the first and last of these being the most commonly used. These are not routable on the WAN whose routers will reject them. What that means is that these internal addresses cannot be reached except by the router and other machines inside the router. So how does stuff reach you? You initiate the transaction, say a URL of a web site and the router remembers that and redirects the response to the machine that originated the request. You can only get viruses, trojans, etc. but doing something to content that came to you as part of a request -- opening an attached file, running a javascript, etc. VNC, one way or another sets up a listening port on the router that is then passed to the machine that set it up. NAT is inherently safe because your machines are not "exposed" to the Internet.

Thanks, NovaScotian. Makes sense, especially since I was improperly interpreting "wireless network," which acme.mail.order said, as "wireless Internet connection."

Let me clarify my set up...I have a wireless router which also has 4 hard wire ethernet ports.

My Mac Pro Desktop is connected via Cat 5 cable to one of these ethernet ports.

The Mac BOOK Pro notebook hooks to the internet via wireless when I'm in the other room watching movies and wanting to operate the Mac Pro Desktop remotely.

If you already understood that, please never mind...

;-)

a

Assuming that you're using WPA2 for your wireless security, it doesn't really matter how the machines are connected to the router -- if they're inside it, they're safe except for things you do yourself (like run a downloaded java program, for example). This is not to say that your own apps can't be sending stuff "home" that you'd rather not share, but nothing can infect your machine unless you permit it.

I am using WPA2, but how do you mean "inside it?"

do you mean that the machines are inside of WPA2 protection?

Yep. The key item is this: your router should be the only connection to your service provider in your LAN so that every device within your system -- iPad, iPod Touch, Laptop or Desktop -- connects to the Internet through the router by wire or Wi-Fi, but not otherwise. This is true even if you have, for intense, two AirPorts. One should connect to the Internet and the other should be set up as a bridge.

yes, that describes how our computers get on the internet..

so, as that is the case, I can feel save about using remote management and screen sharing?
what about the warning against having port 5900 open ever?

I use ShareTool to connect to my iMac from my MBP when I'm outside my LAN (just Screen Sharing by itself when I'm inside via a local address -- I've set up my AirPort so both of my machines have fixed internal addresses). I don't know about Mac's remote management, but to do it in any way you need a server (normally running as a daemon) for it running on the machine to be reached and at least in ShareTool, it doesn't use port 5900. In your case, I don't know. If you want to use Screen Sharing by itself, then you do need to expose the host. I don't recommend that.

NAT (in your home router) stops connections that are initiated from outside of your local network from getting to computers that are inside your local network. So if you have NAT (which you do) and don't poke any holes in it, there's no easy way for someone with a VNC client outside of your local network from connecting to your VNC server listening on port 5900. Even when that someone with a VNC client outside of your local network is actually you, and you WANT to connect to the VNC server listening on port 5900.

To actually use VNC from outside your local network to connect to a computer inside your local network, you will have to open holes in the protection offered by NAT. Specifically, this is sometimes done by port forwarding connections to a specific port on the external interface of your router (say, port 5900 for VNC Display number 0) from your router to the computer that you have listening on that port.

That lets you, when you're outside of your LAN, connect via VNC to a computer inside your LAN. However it simultaneously lets anyone else connect to the VNC port on the computer inside of your LAN.

VNC is not a very secure connection, which is why forwarding port 5900 from your router to the computer running VNC server is kinda scary.

That all was general explanation. Now to your specifics...if I'm interpreting you correctly, both the VNC client and the VNC server machines are inside of the same local network. Is that right? It doesn't really matter if they connect over ethernet or WiFi, they're both connected to the same router and they're both inside of the network. So you don't need to set up port forwarding--and don't do it if you don't need to. As mentioned, VNC is insecure. So keep it inside the walled garden of your internal network, keep your wireless security good by using WPA2 on your WiFi so you can't be cracked by someone parked in front of your home or office, and you should (generally) be safe.

Trevor

Yes, that is absolutely right.


Roger that..don't need to..don't want to..won't.

I am using WPA2, a decent password, (I will probably make it tougher) and router firewall on. Now.."generally" safe...is this, providing that I am not careless, or assuming some genius hacker lookin for kicks doesn't put his or her sights on my Macs?

thank you!

a

Yeah, that's right. Make sure that you don't have "Remote Management" switched on for your router, too. If you have Port Forwarding set up in the router for some more secure protocol, like ssh, make sure that the computer that the port forwarding is pointed at has it's firewall on and has all good strong passwords.

Trevor