We have a firewall between us and the internet, and between various so-called zones even inside the department. This document is about getting through that firewall to the services you want.

A tunnel and a VPN have a similar structure. You create a communication channel which crosses the firewall boundary and pump data through it. The channel is setup using authentication, so only certain people can do this, and is encrypted, etc., so that the channel is secure.

At either end of the channel, the hosts have to figure out the routing of network channel, diverting it to and from local processes and the great wide world network as required. A VPN does this whole-sale: all traffic from the client host goes into the channel, tunnels through the firewall inside this channel, is unpacked on the other side of the firewall, and is dropped onto that network imitating truely local traffic.

Another method is to forward only certain connections, identified by TCP port number, through a firewall tunnel. Ssh has a forwarding mechanism which can move network packets from a port/host source to a port/host destination through an ssh session. We use this to map ports on localhost to machines and ports in the network inside the firewall, with an ssh session between the localhost (typically outside the firewall) to any server runnding sshd inside the firewall (and accessible according to firewall rules).

Ssh rules can get long, so the file ~/.ssh/config is usefull. See man ssh_config(5). The general idea is:

Host sherman
HostName sherman.cs.miami.edu
ForwardX11 yes
Host sherman_tunnels
HostName sherman.cs.miami.edu
LocalForward 1080 sherman:1080
LocalForward 8080 sherman:80
LocalForward 25 sherman:25
LocalForward 143 sherman:143
LocalForward 515
LocalForward 139
LocalForward 16286

Running ssh sherman looks for a sherman host entry in .ssh/config, and finding these lines, will set up 7 tunnels. They are for SOCKs, HTTP, SMTP (mail), IMAP, printer, and netbios-ssn, as well as a license server for Mathematica. Once the ssh completes, traffic to localhost port 143, for instance, will end up on sherman, port 143, where there is an imapd listening. Once the ssh completes, my local mail client can imap mail from sherman simply by requesting it as if the imap process was running local, on port 143.

Similarly, printing is done, once the tunnel is in effect, by standard Unix networking printing protocols to the seemingly local network printer localhost (

Similarly, Windows NT directories can be mounted by redirecting requests locally. Here is the command that works for me on OS X:

    mount_smbfs -I //docserver/burt ~/docserver

Rid yourself of this using umount ~/docserver. It takes time to have the icon show up on the the desktop, and I haven't got Eject to work through the GUI once it does. In fact, it stalls the desktop big time. Reboot required to clear it.

It should also be possible to do Finder->Go->Connect and specify smb:// but this isn't being friendly at this time.