Go Back   The macosxhints Forums > OS X Help Requests > Networking



Reply
 
Thread Tools Rate Thread Display Modes
Old 04-04-2012, 08:51 PM   #21
acme
MVP
 
Join Date: Jan 2009
Posts: 2,074
Quote:
Originally Posted by DeltaMac
Sure, but you would also find out if that's stopping your screen sharing (or makes no difference)
Could be that you have your firewall settings too restrictive.
If turning off your firewall helps, then someone here can likely help you set that up, so you are still protected, but you can work the way you want....

Can I kindly prevail upon a knowledgeable person here to help me learn how to set this up while maintaining security?

Thank you!

a
acme is offline   Reply With Quote
Old 04-04-2012, 09:04 PM   #22
DeltaMac
League Commissioner
 
Join Date: Jan 2002
Posts: 8,522
Maybe this thread will help?
Looks similar to your situation.
https://discussions.apple.com/thread...art=0&tstart=0
DeltaMac is offline   Reply With Quote
Old 04-04-2012, 11:28 PM   #23
acme.mail.order
League Commissioner
 
Join Date: Sep 2003
Location: Tokyo
Posts: 6,334
Quote:
Originally Posted by acme
At home, I'll be using our wireless network

Assuming this is your wireless network, this means that you have a router*, and there is no point in having both a router and a firewall - the router is actually better. So unless you are expecting to be hacked from inside your house you can turn the firewalls off.

* do all of your computer's IP addresses begin with 192.168?
acme.mail.order is offline   Reply With Quote
Old 04-05-2012, 12:16 AM   #24
NaOH
Hall of Famer
 
Join Date: Dec 2007
Posts: 3,844
Quote:
Originally Posted by acme.mail.order
Assuming this is your wireless network, this means that you have a router*, and there is no point in having both a router and a firewall - the router is actually better.

May I interrupt for a more detailed explanation of this? I would have thought a secured router along with the built-in OS X firewall would be a good combination, and you seem to be saying that's not a better setup than a secured at-home router.
NaOH is online now   Reply With Quote
Old 04-05-2012, 11:05 AM   #25
NovaScotian
League Commissioner
 
Join Date: Oct 2002
Location: Halifax, Canada
Posts: 5,152
Quote:
Originally Posted by NaOH
May I interrupt for a more detailed explanation of this? I would have thought a secured router along with the built-in OS X firewall would be a good combination, and you seem to be saying that's not a better setup than a secured at-home router.

As I understand it, NaOH, the machines within a LAN are protected from fiddling by the router's network address translation (NAT) from the exposed router address to private addresses in the ranges: 10.0.0.0 - 10.255.255.255,
172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255 with the first and last of these being the most commonly used. These are not routable on the WAN whose routers will reject them. What that means is that these internal addresses cannot be reached except by the router and other machines inside the router. So how does stuff reach you? You initiate the transaction, say a URL of a web site and the router remembers that and redirects the response to the machine that originated the request. You can only get viruses, trojans, etc. but doing something to content that came to you as part of a request -- opening an attached file, running a javascript, etc. VNC, one way or another sets up a listening port on the router that is then passed to the machine that set it up. NAT is inherently safe because your machines are not "exposed" to the Internet.
__________________
17" MBP, OS X; 27" iMac, both OS X 10.10.x (latest)
NovaScotian is offline   Reply With Quote
Old 04-05-2012, 01:04 PM   #26
NaOH
Hall of Famer
 
Join Date: Dec 2007
Posts: 3,844
Thanks, NovaScotian. Makes sense, especially since I was improperly interpreting "wireless network," which acme.mail.order said, as "wireless Internet connection."
NaOH is online now   Reply With Quote
Old 04-05-2012, 01:19 PM   #27
acme
MVP
 
Join Date: Jan 2009
Posts: 2,074
Let me clarify my set up...I have a wireless router which also has 4 hard wire ethernet ports.

My Mac Pro Desktop is connected via Cat 5 cable to one of these ethernet ports.

The Mac BOOK Pro notebook hooks to the internet via wireless when I'm in the other room watching movies and wanting to operate the Mac Pro Desktop remotely.

If you already understood that, please never mind...

;-)

a
acme is offline   Reply With Quote
Old 04-05-2012, 01:34 PM   #28
NovaScotian
League Commissioner
 
Join Date: Oct 2002
Location: Halifax, Canada
Posts: 5,152
Quote:
Originally Posted by acme
Let me clarify my set up...I have a wireless router which also has 4 hard wire ethernet ports.

My Mac Pro Desktop is connected via Cat 5 cable to one of these ethernet ports.

The Mac BOOK Pro notebook hooks to the internet via wireless when I'm in the other room watching movies and wanting to operate the Mac Pro Desktop remotely.

If you already understood that, please never mind...

;-)

a

Assuming that you're using WPA2 for your wireless security, it doesn't really matter how the machines are connected to the router -- if they're inside it, they're safe except for things you do yourself (like run a downloaded java program, for example). This is not to say that your own apps can't be sending stuff "home" that you'd rather not share, but nothing can infect your machine unless you permit it.
__________________
17" MBP, OS X; 27" iMac, both OS X 10.10.x (latest)
NovaScotian is offline   Reply With Quote
Old 04-05-2012, 01:36 PM   #29
acme
MVP
 
Join Date: Jan 2009
Posts: 2,074
I am using WPA2, but how do you mean "inside it?"

do you mean that the machines are inside of WPA2 protection?
acme is offline   Reply With Quote
Old 04-05-2012, 01:53 PM   #30
NovaScotian
League Commissioner
 
Join Date: Oct 2002
Location: Halifax, Canada
Posts: 5,152
Quote:
Originally Posted by acme
I am using WPA2, but how do you mean "inside it?"

do you mean that the machines are inside of WPA2 protection?

Yep. The key item is this: your router should be the only connection to your service provider in your LAN so that every device within your system -- iPad, iPod Touch, Laptop or Desktop -- connects to the Internet through the router by wire or Wi-Fi, but not otherwise. This is true even if you have, for intense, two AirPorts. One should connect to the Internet and the other should be set up as a bridge.
__________________
17" MBP, OS X; 27" iMac, both OS X 10.10.x (latest)

Last edited by NovaScotian; 04-05-2012 at 02:04 PM.
NovaScotian is offline   Reply With Quote
Old 04-05-2012, 01:58 PM   #31
acme
MVP
 
Join Date: Jan 2009
Posts: 2,074
yes, that describes how our computers get on the internet..

so, as that is the case, I can feel save about using remote management and screen sharing?
what about the warning against having port 5900 open ever?
acme is offline   Reply With Quote
Old 04-05-2012, 02:12 PM   #32
NovaScotian
League Commissioner
 
Join Date: Oct 2002
Location: Halifax, Canada
Posts: 5,152
Quote:
Originally Posted by acme
yes, that describes how our computers get on the internet..

so, as that is the case, I can feel save about using remote management and screen sharing?
what about the warning against having port 5900 open ever?

I use ShareTool to connect to my iMac from my MBP when I'm outside my LAN (just Screen Sharing by itself when I'm inside via a local address -- I've set up my AirPort so both of my machines have fixed internal addresses). I don't know about Mac's remote management, but to do it in any way you need a server (normally running as a daemon) for it running on the machine to be reached and at least in ShareTool, it doesn't use port 5900. In your case, I don't know. If you want to use Screen Sharing by itself, then you do need to expose the host. I don't recommend that.
__________________
17" MBP, OS X; 27" iMac, both OS X 10.10.x (latest)

Last edited by NovaScotian; 04-05-2012 at 02:14 PM.
NovaScotian is offline   Reply With Quote
Old 04-05-2012, 03:26 PM   #33
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,845
Quote:
Originally Posted by acme
so, as that is the case, I can feel save about using remote management and screen sharing?
what about the warning against having port 5900 open ever?

NAT (in your home router) stops connections that are initiated from outside of your local network from getting to computers that are inside your local network. So if you have NAT (which you do) and don't poke any holes in it, there's no easy way for someone with a VNC client outside of your local network from connecting to your VNC server listening on port 5900. Even when that someone with a VNC client outside of your local network is actually you, and you WANT to connect to the VNC server listening on port 5900.

To actually use VNC from outside your local network to connect to a computer inside your local network, you will have to open holes in the protection offered by NAT. Specifically, this is sometimes done by port forwarding connections to a specific port on the external interface of your router (say, port 5900 for VNC Display number 0) from your router to the computer that you have listening on that port.

That lets you, when you're outside of your LAN, connect via VNC to a computer inside your LAN. However it simultaneously lets anyone else connect to the VNC port on the computer inside of your LAN.

VNC is not a very secure connection, which is why forwarding port 5900 from your router to the computer running VNC server is kinda scary.

That all was general explanation. Now to your specifics...if I'm interpreting you correctly, both the VNC client and the VNC server machines are inside of the same local network. Is that right? It doesn't really matter if they connect over ethernet or WiFi, they're both connected to the same router and they're both inside of the network. So you don't need to set up port forwarding--and don't do it if you don't need to. As mentioned, VNC is insecure. So keep it inside the walled garden of your internal network, keep your wireless security good by using WPA2 on your WiFi so you can't be cracked by someone parked in front of your home or office, and you should (generally) be safe.

Trevor
trevor is offline   Reply With Quote
Old 04-05-2012, 11:17 PM   #34
acme
MVP
 
Join Date: Jan 2009
Posts: 2,074
Quote:
Originally Posted by trevor
That all was general explanation. Now to your specifics...if I'm interpreting you correctly, both the VNC client and the VNC server machines are inside of the same local network. Is that right?

Yes, that is absolutely right.


Quote:
It doesn't really matter if they connect over ethernet or WiFi, they're both connected to the same router and they're both inside of the network. So you don't need to set up port forwarding--and don't do it if you don't need to.

Roger that..don't need to..don't want to..won't.

Quote:
As mentioned, VNC is insecure. So keep it inside the walled garden of your internal network, keep your wireless security good by using WPA2 on your WiFi so you can't be cracked by someone parked in front of your home or office, and you should (generally) be safe.

I am using WPA2, a decent password, (I will probably make it tougher) and router firewall on. Now.."generally" safe...is this, providing that I am not careless, or assuming some genius hacker lookin for kicks doesn't put his or her sights on my Macs?

thank you!

a
acme is offline   Reply With Quote
Old 04-06-2012, 10:05 AM   #35
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,845
Quote:
Originally Posted by acme
I am using WPA2, a decent password, (I will probably make it tougher) and router firewall on. Now.."generally" safe...is this, providing that I am not careless, or assuming some genius hacker lookin for kicks doesn't put his or her sights on my Macs?

Yeah, that's right. Make sure that you don't have "Remote Management" switched on for your router, too. If you have Port Forwarding set up in the router for some more secure protocol, like ssh, make sure that the computer that the port forwarding is pointed at has it's firewall on and has all good strong passwords.

Trevor
trevor is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 06:37 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.