Overview

File NX-Firewall.txt of Package FreeNX

How to setup NX behind a firewall?

If you need to traverse a firewall when connecting to a NX or FreeNX
server, for initial login you need to connect to the SSH daemon on
that server. SSH by default runs on port 22 (but this may be changed
by the respective admin, or additional ports may have been added).

If your NX client does support a session option like 'Enable SSL
encryption for all traffic", and you use that, then you are done. The
NX session will only use that single port and direct all its other
traffic through that SSH channel. 'Enable SSL encryption of all
traffic' is the recommend way to run remote sessions through
firewalls.

If (for whatever reason) you can not use that mode, you need to open
many more ports on the firewall. In addition to that loss of security,
your remote session will not be encrypted either. Details follow now.

First you have to know, what kind of ports and which ports are used.

NX uses only TCP ports, which are ranges starting from a base port to
the last configured session. This means:

default ports:
- 4000+ - NX proxy ports, you need this one (main ports)

- 5000+ - NX sync service, these ones are optional

- 6000+ - NX agent ports, you need this one, too (main ports)

- 7000+ - SMB share service, these ones are optional (you only need these
	ports, if you want to use samba shares over the NX connection)

- 8000+ - Media service, these ones are also optional (maybe you need them
	for using sound on the NX server, but I'm not really sure)

- 9000+ - Vfb ports, these ones are optinal, but can accelerate X drawing
	functions in a great deal (you should use this one)

ports not belonging to NX:
- 22 - SSH, you need this one, because NX is doing it's authentification over
	SSH

These are the base ports, but you have take care about the base display number
and the maximum reserved sessions, too. You can set them in the config file
(/etc/nxserver/node.conf). The default values are 1000 for the base display
number and 200 for the reserved sessions.

You can calculate the ports for the firewall by the fellowing formula:

A range from (needed base port + base display number) to (needed base port +
base display number + maximum reserved sessions - 1). You also have to open
the SSH port (22).

examples for the default configuratuion (TCP ports):
- 22 (SSH)
- 5000 - 5199 (NX proxy)
- 7000 - 7199 (NX agent)
optional:
- 10000 - 10199 (Vfb, X acceleration)

Author:
  Kurth Pfeifle <pfeifle@kde.org>
  Wilken Gottwalt <wgottwalt@suse.de>
openSUSE Build Service is sponsored by
Places