After using OSXvnc for a while I installed Apple Remote Desktop client 2.1 because I have two screens. Chicken of the VNC to ARD works great (though slowly) as long as I do not choose 8-bit mode and remember to send a password. That is not the problem. The problem is that I had OSXvnc working over ssh, but ARD added a firewall entry for itself that opens ports 5900 and 3283 every time I start it. This was a general problem for me; I did not like how enabling a service would open ports for it in the firewall, since I forward everything I can over ssh. In 10.3, I had a startup item that would configure ipfw itself, but you are supposed to use launchd in 10.4. So I decided I would figure out how to not have ports open automatically when I start a service.
[kirkmc adds: I had a bit of a problem testing this hint (well, at least verifying the steps; I didn't fully test it). The author mentions expanding "udport" in the plist file in Property List Editor, but I didn't find that key. I tried activating ARD VNC access, and setting a user and password, but the key still didn't show up.
By iChat, I asked Rob if he had it, and indeed he does. I don't know why there is a difference, so if you don't see it, well, I don't know what to suggest. Since this ARD access is a system function - you don't need to have a copy of ARD installed - there's no reason why one Tiger system would have it and another wouldn't.]
In Terminal, type:
sudo open /Library/Preferences/com.apple.sharing.firewall.plist
Expand "Root", expand "firewall", expand "Apple Remote Desktop", expand "port", highlight 5900 and click the "Delete" button at the top of the window, then highlight 3283 and click the Delete button again. Now expand "udpport" and delete both 5900 and 3283 there in the same manner. Now save, then quit Property List Editor.
% lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ARDAgent 196 mzs 15u IPv4 0x2628750 0t0 UDP *:net-assistant
AppleVNCS 197 mzs 22u IPv4 0x2de9228 0t0 TCP *:5900 (LISTEN)
At first I changed "editable" from 0 to 1 in the plist; it allowed me to toggle the entry on and off in the Firewall of System Preferences. The problem was that every time I went to the Sharing Pane in System Preferences, the Firewall entries that go along with any of the services enabled were automatically reset! That is why I had to remove the ports from the lists instead. You can verify if the ports get opened or not in Terminal by typing sudo ipfw list | grep '(5900|3283)' and seeing if any ports are allowed.
<string>127.0.0.1</string>
<key>SockServiceName</key>
This works like bind did for xinetd. In fact, I added just this to /System/Library/LaunchDaemons/nmbd.plist in the "Listeners" dictionary because, even though I edited my com.apple.sharing.firewall.plist, netbios-ns is opened anyway.
% sudo ipfw list | grep '13[789]'
20340 allow udp from any to any dst-port 137 in
I guess there is some hard-coding in the preference pane, since there are two launchd plist files for samba. NETBIOS names will not resolve, but I use DNS names anyway so it all still works as far as I can tell.
% lsbom RemoteDesktopClient210.pkg/Contents/Archive.bom
...
/System/Library/PrivateFrameworks/NetworkConfig.framework/
Versions/A/Resources/DefaultFirewallInfo.plist
That is where the original values are. I do not think you need to worry about future System Updates reverting the changes you made to com.apple.sharing.firewall.plist, because I touched the DefaultFirewallInfo.plist and restarted the Sharing pane of System Preferences and nothing got changed. Probably the code just checks to see if there is an entry of the same name and does nothing if there is. Also, my hunch is that the setuid /System/Library -> PrivateFrameworks -> NetworkConfig.framework -> Versions -> A -> Resources -> NetCfgTool calling /usr/libexec/FirewallTool is what actually manages the firewall.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20060427124349687