If it's DISPLAY=A:0 it would be a (non-encrypted, non-tunnelled) TCP connection to A port 6000.
Whereas DISPLAY=A:1 would be to A port 6001 (and the X server would need to know how to talk to a second display, such as two monitors or some virtual display setup). (earlier discussion appended below for archives; forgot to cc: the list - any corrections welcome) >>> On 15-May-07 at 10:12 am, in message <[EMAIL PROTECTED]>, "cadu aranha" <[EMAIL PROTECTED]> wrote: > Hi, > if i ssh from host A to host B and, from B, setenv DISPLAY A:0, > which ports are used from A and B for this comunication? > I know it is not the secure one, i am just curious. > Thanks ... On the SSH/X11 Tunnelling... Assuming the config permits X11 forwarding, when connecting using ssh from system A (with an X display) to an sshd on system B (with or without a display), then: A-ssh checks DISPLAY, usually finds it is :0.0 or localhost:0 (port A:6000); opens a local ephemeral port, A:x, and connects it to B-sshd at B:22. They set up the required ptys for terminal traffic etc, and also a tunnel from B:6010, which A-ssh forwards to A:6000. So B-sshd has B:22 and also opens a local port B:6010 (or whatever higher number is needed), and sets DISPLAY so localhost:6010 is inherited by all children in the remote session. Any child processes which are X clients connect to their "local" port (say B:6010), which B-sshd is listening on. B-sshd then forwards the data bidirectionally from it's port B:22 back to the A-ssh client on A:x, which splits that traffic out into a local X proxy connection by sending it via A:6000 (the local X server display port; although that may be a Unix domain socket to e.g. /tmp/.X11-unix/ or whatever the X implementation uses). The X tunnel between the systems has end virtual points sshd-B:6010 and ssh-A:6000, and data travels encrypted over tunnel B:22 - A:x. Typically there is no A:6010 (unless A is forwarding to some other system). To see this: Establish a connection and do "pfiles PID" on the PIDs of client A-ssh and server instance B-ssh (found by ptree or pstree $$) This should show the local and remote ports open at each and (or depending on your un*x, you might need to use e.g. lsof). You'll probably see a difference running pfiles on the local A ssh client before starting and while running a remote X app, such as xterm. The remote sshd instance will hold 6010-or-whatever always open, but the local ssh instance will probably only open it's local forwarding end-point while a remote X application is actually active. Although not all SSH versions necessarily work exactly in exactly the same sequence. Also the remote xterm should have only localhost:6010 (127.0.0.1.6010) in addition to it's B:22 - A:x connection. Note the article is not absolutely clear on this (but then, the description above tries to be fairly complete but is not exactly all that clear either!) The last sentence in the second-last paragraph in the article implies it by saying the data is forwarded over the secure tunnel, and the last para refers to the equivalent SSH port forwarding syntax (B:)6000:A:6000, which is via 22 (refer -R and -L port forward in the SSH/SSHD man pages). Hence a rules similar to these should be sufficient, provided nothing else is going on (NAT, other firewalls, etc). On A something like: pass out quick from A to B port 22 flags S/SAFR keep state keep frags and on B like: pass in quick from A to B port = 22 flags S/SAFR keep state keep frags Rgds, Stuart. [p.s. use whatever "flags" are appropriate: some use S/SA, or just S, which is the same as S/SAFRUP etc; in theory TCP allows SF/SAFR as a shortcut exchange of one data segment with an automatic close, but I don't think anyone uses it, and it would not make sense for SSH, which needs several key exchanges etc to establish it's long-running connections - one segment would never be enough even to send just a small amount of data - this would require something like "flags S/SAR" to not care whether F is set or not on the opening packet. There seems to be quite a bit of variation in what people put after the "/" in flags...] -- Stuart Remphrey RMIT University ITS Infrastructure Services - Unix Systems >>> On 08-May-07 at 2:31 am, in message <[EMAIL PROTECTED]>, "cadu aranha" <[EMAIL PROTECTED]> wrote: > Hello people, > i want to understand how IP FILTER deals with the feedback > of a certain server, requested for a job. > For example, i connect thru SSH from A to B (port B:22). > From B i send the X11 to A (port A:6010). > My IPFilter config at A hast no explicit rule allowing in B at port 6010, > but only allow out SSH to B. However i can get X11 from B thru > the procedure above. > However, i dont know which mechanism controls that, and how > standard is this opening of ports for the servers feedback. > Maybe in other applications it would not work. > Another example: > I am trying to allow my desktop to print to a network printer by the > following rules: > > pass out quick on rl0 proto tcp from $MyIP to $printerIP port = 515 > flags S keep state > pass in quick on rl0 proto tcp from $printerIP to $MyIP flags S keep state > > How could i do that better? > When do i have to explicit a rule to open for the feedback conection > of a server? > A general explanation of how these feedback controls would be appreciated. > Thanks in advance. > []s
