[gameprogrammer] Re: TCP/IP Problem: NAT

On Fri, 2004-11-19 at 18:03, Chris Nystrom wrote:
> On Fri, 19 Nov 2004 14:02:05 -0600, Bob Pendleton <bob@xxxxxxxxxxxxx> wrote:
> > On Fri, 2004-11-19 at 12:47, Chris Nystrom wrote:
> > 
> > Hi Chris, how's it going?

Ehh, Pretty good. My last class had a lot more students. Saw some really
creative projects.

> 
> Good. Thank you for asking. How are you doing?
>  
> > This problem has no solution. NAT is designed to hide all the boxes on
> > one side of the box behind a single IP address. The result is that they
> > cannot be addressed from the other side of the box.
> 
> I suppose that is good news. Knowing for sure that my problem has no
> solution saves me the time in trying to get it to work.
> 
> > NATs can be
> > configured to send requests for specific ports to specific machines
> > behind the NAT. That is handy for hiding servers behind a NAT and for
> > redirecting traffic to different servers. But, it is not a solution to
> > your problem.
> 
> You are right.
>  
> > OTOH, all the machines behind the NAT can address the rest of the world.
> > The solution to your problem is to have the client contact the server,
> > not the other way around.
> 
> Hmmm... I suppose  I could do that.
> 
> > And no, X can't get around NAT either.
> 
> Hmmm... I am on the NAT machine and I SSH to a server, and then I type
> "xclock" and
> the xclock pops right up on the display of the origianal NAT machine.
> How does the xclock app running on the server know how to communicate
> back to the X server running on the NAT machine to display itself?
> 
> I assume this must be some ssh mojo? xclock knows nothing of ssh right
> ? So how does X know how to use the ssh mojo ? More importantly how
> can one set up ones own application to work the same way ?

The ssh man page has a whole section on X11 and TCP/IP forwarding. Here
is the applicable section.

>    X11 and TCP forwarding
>      If the ForwardX11 variable is set to ``yes'' (or see the description of
>      the -X and -x options described later) and the user is using X11 (the
>      DISPLAY environment variable is set), the connection to the X11 display
>      is automatically forwarded to the remote side in such a way that any X11
>      programs started from the shell (or command) will go through the
>      encrypted channel, and the connection to the real X server will be made
>      from the local machine.  The user should not manually set DISPLAY.  For-
>      warding of X11 connections can be configured on the command line or in
>      configuration files.
> 
>      The DISPLAY value set by ssh will point to the server machine, but with a
>      display number greater than zero.  This is normal, and happens because
>      ssh creates a ``proxy'' X server on the server machine for forwarding the
>      connections over the encrypted channel.
> 
>      ssh will also automatically set up Xauthority data on the server machine.
>      For this purpose, it will generate a random authorization cookie, store
>      it in Xauthority on the server, and verify that any forwarded connections
>      carry this cookie and replace it by the real cookie when the connection
>      is opened.  The real authentication cookie is never sent to the server
>      machine (and no cookies are sent in the plain).
> 
>      If the ForwardAgent variable is set to ``yes'' (or see the description of
>      the -A and -a options described later) and the user is using an authenti-
>      cation agent, the connection to the agent is automatically forwarded to
>      the remote side.
> 
>      Forwarding of arbitrary TCP/IP connections over the secure channel can be
>      specified either on the command line or in a configuration file.  One
>      possible application of TCP/IP forwarding is a secure connection to an
>      electronic purse; another is going through firewalls.

Essentially ssh lets you treat the ssh connections as VPN link. Fun stuff.

                Bob Pendleton

> 
> Interstingly, the DISPLAY variable that ssh sets up is set to
> localhost...hmmm...a mystery.
> 
> Thank,
> Chris
-- 
+--------------------------------------+
+ Bob Pendleton: writer and programmer +
+ email: Bob@xxxxxxxxxxxxx             +
+ blog:  www.Stonewolf.net             +
+ web:   www.GameProgrammer.com        +
+--------------------------------------+



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

Other related posts: