I recommend you don't forward VNC traffic at all. VNC traffic is not secure by default and all info including passwords is sent in clear text.
Instead I recommend setting up either OpenVPN or SSH w/ port forwarding enabled. SSH is by far the easier of the two to implement.
The idea is to tunnel your VNC Viewer through your SSH tunnel. Thus protecting it.
I won't bother posting links as Google will show you many examples.
This (SSH) would allow:
1. A secure connection from anywhere via SSH
2. Though SSH there are many features to control how users are able to connect
Some examples being:
Code:
LoginGraceTime
MaxAuthTries
MaxStartups
Port XXXX <-- this will help avoid scripted scans
3. Less rules in your PF.conf
Read here for more on SSH:
http://www.openbsd.org/cgi-bin/man.c...ry=sshd_config
Cheers!