I do not think is possible to avoid the port forwarding part. Your router will stop the incoming packets and they will never reach the stunnel service listening for connections.
Sometimes, people uses th VNC client in listening mode, reversing who initiates the connection. In listening mode the server initiates the connection. however, this puts the firewall issue on the client side instead of the server.
--- jz jz@ellingtongeologic.com wrote:
Hello, expert:
I have a question. Can stunnel be used behind a router without the router forwarding the port number? Recently I found one VNC can work this way. Was wondering whether you can modify the config. file to make it work.
right now I set (serverside) the router forwarding port 8888 to the desktop, the stunnel on the desktop listening for port 8888 and forward this stream 8888 to VNC's 5955.
My purpose is to bypassing the router forwarding part.
Thanks for any input.
J
Thanks for the info. Turns out I caused my own problems. I added some features to stunnel that require ldap. That is what brought in the new openssl dependencies. I need to make a custom ldap library using the FIPS openssl libraries.
Thanks again. -Joe
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Luis Rodrigo Gallardo Cruz Sent: Thursday, April 10, 2008 5:32 PM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] Linux FIPS compile libary question
On Thu, Apr 10, 2008 at 01:30:22PM -0400, Joe Kemp wrote:
I guess the question is what will the linker do
with a shared libssl
in /lib and a static one in
/usr/local/sslfips/lib. I ran the libtool
with a -v. It gave tons of output and only had
references to the
library in /usr/local/sslfips.
So I am going to assume I am seeing the
dependencies of other
libraries used by stunnel. For instance libldap
needs openssl and
uses the shared version. It's a little
nerve-wracking ensuring FIPS
compliance.
That sounds ... ugly. If your shared libraries can pull in a copy of libssl.so, you run the risk that some symbols might be resolved at run time against that copy, instead of against the static copy "inside" the executable. Unless you were to link with -Bsymbolic, which is an advanced option invented with no other purpose than to trip inocent students of c linkage.
For this kind of stuff, I'd advice you to compile an stunnel with as few external libraries as you can get away with, and relink *all* those libraries to use your static libssl. Even better, get static libraries for them all and link against that.
Is there a way to see just what the stunnel layer
depends on? Ldd -v
gave me more info but I am assuming it is still
showing all levels of
dependencies (stunnel's, libldap's, libsasl2,
etc.).
objdump -x /usr/bin/stunnel |grep NEEDED gives you the list of sonames embedded in the executable. ldd tells you how the dynamic linker will resolve them to actual .so files. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.22.5/1357 - Release Date: 4/3/2008 10:48 AM
BEGIN:VCARD
VERSION:2.1 N:zhang;jilin FN:jilin zhang NICKNAME:J ORG:Ellington & Associates TITLE:Geologist TEL;WORK;VOICE:7139562838 TEL;WORK;FAX:7139562840 ADR;WORK:;;1022 Wirt Road, Suite 312;Houston;Texas;77055;US LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1022 Wirt Road, Suite 312 Houston Texas 77055 US URL:www.ellingtongeologic.com EMAIL;PREF;INTERNET:jz@ellingtongeologic.com X-WAB-GENDER:2 REV:20080417T113641Z END:VCARD
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ