"Connect to Server" behind router?

[squidz]

I've been trying to do away with FTPing back and forth from work to home, since I've been told leaving open FTP is a security risk. So, I can easily access my home G4 using "Connect to Server" and the IP.

However, my work setup is behind a Linksys router. I have been unsuccessful in "Connecting to Server" from home.

Q: Is there a certain port I must open or forward to this system?

[Phil St. Romain]

Yes, that would be great. I look forward to the responses, here, for that would mean that one could essentially do many FTP tasks from the Finder itself.

[zed]

You can open port 548 TCP on the firewall, but if the firewall is also doing NAT then you will need to forward that port to your Mac...

You should note that this is also not all that secure...

the most secure way it to use SSH/SCP to transfer the files around...

You can build an SSH tunnel to encapsulate the 548 port (afp) if you want the Finder interface..

To build the tunnel...

1. you'll need to allow SSH (port 22) thro the firewall to a system that supports the SSH system, eg a MacOSX system, just note it does not have to be the same system that you want to file transfer to/from..

now when your at home..
2. open terminal and type this:
ssh user@<IP of SSH system at office> -L 1200:<host you want AFP to>:548
Enter your passwd and the tunnel should be ready to use..

3. go to Finder and select connect to host..
4. enter afp://localhost:1200

5. Enter username/passwd as normal..

6 Done!

Any connection can be encoded like this allowing access through firewalls in a secure fashion..

*** NOTE: some macs do not resolve localhost correctly so you might have to us 127.0.0.1 instead for step 4.*****

for more reading check out:
man ssh

Cheers,

---Zed

[hschickel]

I may be wrong about this - but I believe I read somewhere (will try to find the cite) - that OSX.2.x does AFP through SSH.

To get this I believe that you need to uncheck the box to "Allow Clear Text Password" and check the box to "Allow Secure Connections with SSH". This should be done on both machines.

FWIW - nmap considers this connection highly secure.

Hugh

[squidz]

That is an interesting solution I may have to try out.

The main reasons I don't use SSH much are:

1. I'm a Unix/Terminal novice and fail at what I attempt frequently before figuring it out. Late at night, when I should be sleeping, I can't afford the time.

2. I do not know how to transfer whole directories or multiple files via SSH. I need to do frequently when working - web and print - with numerous interconnected materials.

Of course, I could plan ahead and put everthing on a Zip or CD before I head to the house...right. The beauty of broadband is that I can always grab stuff I forget or just decide I want at any given moment.

Timbuktu is a great solution I've used in the past. However, I have other places to spend money rather than multiple licensing of upgrades that work properly on OSX. Gotta love that Control feature though.

[Phil St. Romain]

A question in the same general area: can VNC be made to work behind a router? I have no trouble using it on our LAN, but what about for an internet IP address? I've tried using my own, but no dice.

[nick2588]

Quote: Originally posted by squidz That is an interesting solution I may have to try out.

AFP over SSH simply means that the AFP data will travel over the SSH port so that it can be compressed. It is transparent, and the operating system rereoutes connections and all that stuff. Basically: Don't worry about it, and just follow the simple solution below.

Just make the router foward port 548 to your Macintosh. That is all the need be done. Then go to the other machine and the connection will succeed from the "Connect to Server" menu option.

[nick2588]

Quote: Originally posted by Phil St. Romain A question in the same general area: can VNC be made to work behind a router? I have no trouble using it on our LAN, but what about for an internet IP address? I've tried using my own, but no dice.

Yep, just make sure port forwarding is in place. I've done it before - a while ago - so I can say that it does work, but I forgot what port(s) VNC uses.

[mervTormel]

dunno how accurate this is but it'll provide some hunting fodder...


5800 VNC
5801 VNC
5900 VNC
5901 VNC

http://www.iss.net/security_center/a...xploits/Ports/

[squidz]

Thanks nick2588!

the 548 forwarding worked like a charm.

Was the other poster correct that this method automatically runs over ssh or do I need to the the "tunnel" building too?

Y'all have simplified my file shuffling. Thanks again.

[squidz]

Does there happen to be a secondary port that can be used to access the other G4 behind my router... Or will I have to access my router interface to switch to the other computer?

[zed]

Quote: Originally posted by squidz Does there happen to be a secondary port that can be used to access the other G4 behind my router... Or will I have to access my router interface to switch to the other computer?

Well if you use the SSH tunnel method, then you can configure each Mac to SSH on different ports, and open the firewall for those ports...

Then hey presto all Macs can be accessed at the same time..just have to remember which port number for each mac...

If you have a linux/MacOSX box that everyone has a login on then you can allow SSH to this system and then tunnel as above this time only allow 22 thro the firewall and modifing the tunnel

ssh -L <localport>:host:<remoteport>

Cheers,
--Zed

[squidz]

ok, this does sound perfect ... now I have to go through your notations and decypher what you're really telling me, being the unix bozo that I am. I understand the concept, just sure on the mechanics yet. Are you saying I should not open 548 only 22?

I apologize in advance for my thick headedness on the subject.

Examples of my non-familiarity in this area :^(

Example:
"ssh user@<IP of SSH system at office> -L 1200:<host you want AFP to>:548"

I don't know what "host you want AFP to" should be. A local IP? 192.168.1.X?

Example"

"then you can configure each Mac to SSH on different ports, and open the firewall for those ports..."

What ports CAN I use? I don't even understand why you used "1200" in your tunnel method.


Example:
"ssh -L <localport>:host:<remoteport>"

What are "localport" "host" and "remoteport" suppose to be?

There are only two of us and we both have users on each G4, so maybe it's just explaination of this last example that I need spelled out for me... I'm the proverbial "knows enough to be dangerous" sort.

[zed]

I was going to write a detailed answer to this here but I needed a little more space and add graphics etc... so please check out this URL http://macosx.miraworld.tv

It's the first draft of the solution and if you have comments please let me know so I can improve it...

Cheers,

--Zed

[nick2588]

Quote: Originally posted by squidz Does there happen to be a secondary port that can be used to access the other G4 behind my router... Or will I have to access my router interface to switch to the other computer?

You could do this with one command, ipfw.

On "the other G4 behind my router", run this command ipfw add fwd localhost,548 tcp from any to any 549 via en0 (what this does is it allows AFP connections on port 549). Now go configure your router to forward port 549 to this other computer.

First computer will still be accessable using the "Connect to Server" menu using the URL afp://(External-IP-Address)/ and the second computer will now be accessable using "Connect to Server" at the URL afp://(External-IP-Address):549/.


Note: ipfw does not remember settings after a system restart/shutdown, so if you always want to be able to access you Mac vis port 549, you must somehow include the line above during the system startup, such as creating a seperate "ipfw" StartupItem.

[bmerlin]

Quote: Originally posted by squidz 1. I'm a Unix/Terminal novice and fail at what I attempt frequently before figuring it out. Late at night, when I should be sleeping, I can't afford the time. 2. I do not know how to transfer whole directories or multiple files via SSH. I need to do frequently when working - web and print - with numerous interconnected materials.

Fugu is a great GUI for SCP (Secure Copy). The SSH daemon in OS X handles this just fine. Fugu makes interacting with it much like WS_FTP for Windoze (local on the left, remote on the right). Get it at http://rsug.itd.umich.edu/software/fugu/. That way you don't have to worry about tunneling or any of that happy fun stuff.

[squidz]

Quote: Originally posted by nick2588 You could do this with one command, ipfw. On "the other G4 behind my router", run this command ipfw add fwd localhost,548 tcp from any to any 549 via en0 (what this does is it allows AFP connections on port 549). Now go configure your router to forward port 549 to this other computer.

Another interesting option. I'd just have to learn how to create a startup item for G4 number 2... :^\

[mclbruce]

Quote: Originally posted by squidz Another interesting option. I'd just have to learn how to create a startup item for G4 number 2... :^\

You may be able to get away with using sunShield to manage IPFW. It's a preference panel, no UNIX necessary.

http://homepage.mac.com/opalliere/shield_features.html

[Phil St. Romain]

Quote: Originally posted by squidz Thanks nick2588! the 548 forwarding worked like a charm.

I'm trying to follow and understand. Are you saying that if one does port forwarding for 548 to a Mac running OS X on a LAN, you can share files with that Mac over the Internet via the Finder/Connect to Server (afp://ipaddress). I haven't actually tried this so I can't confirm. If so, is it read-only, or is there the same functionality as on the LAN?

That would be wonderful--much better than FTP.

[Craig R. Arko]

You could use an application like Vapor to easily build an AFP (and other things) through SSH tunnel. Works quite well.