"Connect to Server" behind router?
 

I've been trying to do away with FTPing back and forth from work to home, since I've been told leaving open FTP is a security risk. So, I can easily access my home G4 using "Connect to Server" and the IP.

However, my work setup is behind a Linksys router. I have been unsuccessful in "Connecting to Server" from home.

Q: Is there a certain port I must open or forward to this system?

Re: "Connect to Server" behind router?
 

Yes, that would be great. I look forward to the responses, here, for that would mean that one could essentially do many FTP tasks from the Finder itself.

You can open port 548 TCP on the firewall, but if the firewall is also doing NAT then you will need to forward that port to your Mac...

You should note that this is also not all that secure...

the most secure way it to use SSH/SCP to transfer the files around...

You can build an SSH tunnel to encapsulate the 548 port (afp) if you want the Finder interface..

To build the tunnel...

1. you'll need to allow SSH (port 22) thro the firewall to a system that supports the SSH system, eg a MacOSX system, just note it does not have to be the same system that you want to file transfer to/from..

now when your at home..
2. open terminal and type this:
ssh user@<IP of SSH system at office> -L 1200:<host you want AFP to>:548
Enter your passwd and the tunnel should be ready to use..

3. go to Finder and select connect to host..
4. enter afp://localhost:1200

5. Enter username/passwd as normal..

6 Done!

Any connection can be encoded like this allowing access through firewalls in a secure fashion..

*** NOTE: some macs do not resolve localhost correctly so you might have to us 127.0.0.1 instead for step 4.*****

for more reading check out:
man ssh

Cheers,

---Zed :cool:

I may be wrong about this - but I believe I read somewhere (will try to find the cite) - that OSX.2.x does AFP through SSH.

To get this I believe that you need to uncheck the box to "Allow Clear Text Password" and check the box to "Allow Secure Connections with SSH". This should be done on both machines.

FWIW - nmap considers this connection highly secure.

Hugh

Interesting
 

That is an interesting solution I may have to try out.

The main reasons I don't use SSH much are:

1. I'm a Unix/Terminal novice and fail at what I attempt frequently before figuring it out. Late at night, when I should be sleeping, I can't afford the time.

2. I do not know how to transfer whole directories or multiple files via SSH. I need to do frequently when working - web and print - with numerous interconnected materials.

Of course, I could plan ahead and put everthing on a Zip or CD before I head to the house...right. The beauty of broadband is that I can always grab stuff I forget or just decide I want at any given moment.

Timbuktu is a great solution I've used in the past. However, I have other places to spend money rather than multiple licensing of upgrades that work properly on OSX. Gotta love that Control feature though.

Re: Interesting
 

A question in the same general area: can VNC be made to work behind a router? I have no trouble using it on our LAN, but what about for an internet IP address? I've tried using my own, but no dice.

Re: Interesting
 

AFP over SSH simply means that the AFP data will travel over the SSH port so that it can be compressed. It is transparent, and the operating system rereoutes connections and all that stuff. Basically: Don't worry about it, and just follow the simple solution below.

Just make the router foward port 548 to your Macintosh. That is all the need be done. Then go to the other machine and the connection will succeed from the "Connect to Server" menu option.

Re: Re: Interesting
 

Yep, just make sure port forwarding is in place. I've done it before - a while ago - so I can say that it does work, but I forgot what port(s) VNC uses.

dunno how accurate this is but it'll provide some hunting fodder...


5800 VNC
5801 VNC
5900 VNC
5901 VNC

http://www.iss.net/security_center/a...xploits/Ports/

AFP over SSH
 

Thanks nick2588!

the 548 forwarding worked like a charm.

Was the other poster correct that this method automatically runs over ssh or do I need to the the "tunnel" building too?

Y'all have simplified my file shuffling. Thanks again.

One more question....
 

Does there happen to be a secondary port that can be used to access the other G4 behind my router... Or will I have to access my router interface to switch to the other computer?

Re: One more question....
 

Well if you use the SSH tunnel method, then you can configure each Mac to SSH on different ports, and open the firewall for those ports...

Then hey presto all Macs can be accessed at the same time..just have to remember which port number for each mac...

If you have a linux/MacOSX box that everyone has a login on then you can allow SSH to this system and then tunnel as above this time only allow 22 thro the firewall and modifing the tunnel

ssh -L <localport>:host:<remoteport>

Cheers,
--Zed :cool:

Cool
 

ok, this does sound perfect ... now I have to go through your notations and decypher what you're really telling me, being the unix bozo that I am. I understand the concept, just sure on the mechanics yet. Are you saying I should not open 548 only 22?

I apologize in advance for my thick headedness on the subject.

Examples of my non-familiarity in this area :^(

Example:
"ssh user@<IP of SSH system at office> -L 1200:<host you want AFP to>:548"

I don't know what "host you want AFP to" should be. A local IP? 192.168.1.X?

Example"

"then you can configure each Mac to SSH on different ports, and open the firewall for those ports..."

What ports CAN I use? I don't even understand why you used "1200" in your tunnel method.


Example:
"ssh -L <localport>:host:<remoteport>"

What are "localport" "host" and "remoteport" suppose to be?

There are only two of us and we both have users on each G4, so maybe it's just explaination of this last example that I need spelled out for me... I'm the proverbial "knows enough to be dangerous" sort.

I was going to write a detailed answer to this here but I needed a little more space and add graphics etc... so please check out this URL http://macosx.miraworld.tv

It's the first draft of the solution and if you have comments please let me know so I can improve it...

Cheers,

--Zed :cool:

ipfw to the resuce!
 

You could do this with one command, ipfw.

On "the other G4 behind my router", run this command ipfw add fwd localhost,548 tcp from any to any 549 via en0 (what this does is it allows AFP connections on port 549). Now go configure your router to forward port 549 to this other computer.

First computer will still be accessable using the "Connect to Server" menu using the URL afp://(External-IP-Address)/ and the second computer will now be accessable using "Connect to Server" at the URL afp://(External-IP-Address):549/.


Note: ipfw does not remember settings after a system restart/shutdown, so if you always want to be able to access you Mac vis port 549, you must somehow include the line above during the system startup, such as creating a seperate "ipfw" StartupItem.

Re: Interesting
 

Fugu is a great GUI for SCP (Secure Copy). The SSH daemon in OS X handles this just fine. Fugu makes interacting with it much like WS_FTP for Windoze (local on the left, remote on the right). Get it at http://rsug.itd.umich.edu/software/fugu/. That way you don't have to worry about tunneling or any of that happy fun stuff.

Re: ipfw to the resuce!
 

Another interesting option. I'd just have to learn how to create a startup item for G4 number 2... :^\

Re: Re: ipfw to the resuce!
 

You may be able to get away with using sunShield to manage IPFW. It's a preference panel, no UNIX necessary.

http://homepage.mac.com/opalliere/shield_features.html

Re: AFP over SSH
 

I'm trying to follow and understand. Are you saying that if one does port forwarding for 548 to a Mac running OS X on a LAN, you can share files with that Mac over the Internet via the Finder/Connect to Server (afp://ipaddress). I haven't actually tried this so I can't confirm. If so, is it read-only, or is there the same functionality as on the LAN?

That would be wonderful--much better than FTP.

AFP over SSH
 

You could use an application like Vapor to easily build an AFP (and other things) through SSH tunnel. Works quite well.

Re: Re: AFP over SSH
 

Yes, that is the point. The ONLY thing you have to do is adjust the firewall to forward port 548 to the Mac you want to access. :) Very easy, very cool!

Ture, it is not definately not super secure. The SSH solution is the way to go if you need security. But this way is easier, no UNIX required, and it works instantly. :)

Re: Re: Re: AFP over SSH
 

That's marvelous. With the LAN-based Mac behind a router, that's a modicum of security, isn't it? How would anyone even know to go snooping for it, and they'd have to log-in anyway.

-------

Merv, thanks for the VNC ports. Forwarding 5900 works great.

All very cool! :)

Great Stuff!
 

I appreciate all of the great information that has been submitted to this thread. It is very cool to learn about the ways folks have melded Unix and Mac OS X.

"Zed" was very helpful in personally coaching me through he terminal method of tunneling into my main G4 at work and onward into my second G4 at work. I've gained a much better understanding of how it works...though I'm still a poor SSH/Unix user.

The cool GUI based apps that have been mentioned to make that process more like other OS X operations are very interesting as well. I can see how the Unix/Linix community has latched on to Mac OS X and will be continually making it a new breed of operating system.

I'll be hangin' around these parts much more in hopes some of the knowledge continues to rub off on me.

Thanks all!