I think one major reason other OSes have done '-nolisten tcp' by default is to encourage people to use X11 forwarding via ssh instead of xhost/etc, as the xhost way transmits in cleartext. Of course it can be argued that the user should be left to decide that themselves, so there's two sides to every issue
Personally, if it's a workstation behind a pf firewall, I don't care. If not (as in my box at work where I don't control the network), then yes, I'll do the little things that may or may not help but do not hurt (assuming my usage doesn't require them), like this, turning off daemons I don't use (which if I have to use RedHat, are legion), and "PermitRootLogin No" in sshd_config. And if this *is* the pf box I'm talking about, I won't be running xdm. :-) -A
