Re: [XFree86] interface bindings of x-server

2003-11-17 Thread devzero
Hi !
 
> You can get similar effects via the above mentioned -nolisten/ssh combo,
mhhh  - generally (especially on unix) this should work -  BUT:
e.g. i often use cygwin xfree86 and putty on a windoze box. how can i tell putty to 
use the
socket, cygwin xfree86 creates ? i think putty isn`t "unix domain socket aware" - 
isn`t it ? 
should i really blame putty now? ;)

BTW: this issue came to my mind because while evaluating  NX from nomachine on my 
home-pc, my kerio firewall popped up and told me: hey, someone trying to connect to 
port 6000 from the internet (no - not the NX server - just an IP originating from 
rr.com). since i used "secure" options inside NX-Client i wondered: why is Xwin.exe 
(the cygwin port of xfree86, which comes with nx-client) bound to 0.0.0.0:6000 at all? 
all other processes of nx are bound to localhost only - and since NX does some sort of 
"tunneling", binding of xwin.exe to localhost would be sufficient. so i searched for 
an option, but didn`t find. ok - i didn`t discuss this with the nomachine people yet  
- maybe -nolisten tcp is an option there, because their "customized" ssh-client is 
cygwin based, too.

> or with a firewall, so it's not been high enough priority for anyone to
mhh - from the point of view of an security aware sysadmin: a port,which isn`t 
listening and reachable from the internet doesn`t need to be protected by a firewall. 
every (unnecessary) listening port to the outside world is one port too much - 
regardless if you have a firewall or not.

> write the code to do that. (I did actually put code like this in xdm for
> controlling which interfaces to listen on for XDMCP connections
> when I was doing the IPv6 work, but that only deals with XDMCP protocol
> connections, not the X protocol itself.)
thats fine regarding xdm - but i really would love to see it in Xserver too ;)

> Also, most of the apps that support this are designed to run on machines
> that connect to both internal and external networks, and those machines
> often don't run X.
mhh -  i think being able to specify the interface is just a matter of "good design of 
network server apps" in general, IMHO. 
I have had several multi-interface issues with all sorts of server-apps where i just 
banged my head against the wall, because of the programmer of that app didn`t keep in 
mind, that his app could be used in multi-interface scenarios or being used by 
security aware persons. (maybe it`s mostly just by the fact, that a programmer has a 
very different "philosophy" regarding this or because he just isn`t aware, that there 
are "multi homed hosts" or security aware persons in the real world). this fact really 
gave me headache several times in my admin life and led me to my personal conclusion: 
network server application? yes - but  PLEASE let me configure the interfaces bindings 
! :)

regards
roland


-
[EMAIL PROTECTED] wrote:
>>You can use the '-nolisten tcp' option suppress listening on tcp 
>>completely in your case.
> 
> ok - thanks - but how should anything connect then to a listening socket, if it 
> isn`t able to talk
> to the xserver via bsd socket or whatever other method(i don`t know)?

-nolisten tcp only disables tcp sockets - you can still connect to :0
using the Unix domain socket, and then let ssh forwarding take care of
all remote connections.

> i`m system administrator and most "well designed" server-apps support a configure 
> option to bind to specific interfaces. apache, mysql, samba - i can let them all run 
> on specific interface:port . so should X, IMHO
> if this feature isn`t already "inside" X - hasn`t this been a feature request 
> already?
> i think, it`s an essential feature!

You can get similar effects via the above mentioned -nolisten/ssh combo,
or with a firewall, so it's not been high enough priority for anyone to
write the code to do that. (I did actually put code like this in xdm for
controlling which interfaces to listen on for XDMCP connections
when I was doing the IPv6 work, but that only deals with XDMCP protocol
connections, not the X protocol itself.)

Also, most of the apps that support this are designed to run on machines
that connect to both internal and external networks, and those machines
often don't run X.

-- 
-Alan Coopersmith- [EMAIL PROTECTED]
Sun Microsystems, Inc. - Sun Software Group
User Experience Engineering: G11N: X Window System


__
Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2
Kostenlos downloaden: http://screensaver.web.de/?mc=021110

___
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86


Re: [XFree86] interface bindings of x-server

2003-11-16 Thread Alan Coopersmith
[EMAIL PROTECTED] wrote:
You can use the '-nolisten tcp' option suppress listening on tcp 
completely in your case.
ok - thanks - but how should anything connect then to a listening socket, if it 
isn`t able to talk
to the xserver via bsd socket or whatever other method(i don`t know)?
-nolisten tcp only disables tcp sockets - you can still connect to :0
using the Unix domain socket, and then let ssh forwarding take care of
all remote connections.
i`m system administrator and most "well designed" server-apps support a configure 
option to bind to specific interfaces.  apache, mysql, samba - i can let them all run on 
specific interface:port . so should X, IMHO
if this feature isn`t already "inside" X  - hasn`t this been a feature request already?
i think, it`s an essential feature!
You can get similar effects via the above mentioned -nolisten/ssh combo,
or with a firewall, so it's not been high enough priority for anyone to
write the code to do that.  (I did actually put code like this in xdm for
controlling which interfaces to listen on for XDMCP connections
when I was doing the IPv6 work, but that only deals with XDMCP protocol
connections, not the X protocol itself.)
Also, most of the apps that support this are designed to run on machines
that connect to both internal and external networks, and those machines
often don't run X.
--
-Alan Coopersmith- [EMAIL PROTECTED]
 Sun Microsystems, Inc.- Sun Software Group
 User Experience Engineering: G11N: X Window System
___
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86


Re: [XFree86] interface bindings of x-server

2003-11-16 Thread devzero
Hi !

> You can use the '-nolisten tcp' option suppress listening on tcp 
> completely in your case.
ok - thanks - but how should anything connect then to a listening socket, if it isn`t 
able to talk
to the xserver via bsd socket or whatever other method(i don`t know)?

i`m system administrator and most "well designed" server-apps support a configure 
option to bind to specific interfaces.  apache, mysql, samba - i can let them all run 
on specific interface:port . so should X, IMHO
if this feature isn`t already "inside" X  - hasn`t this been a feature request already?
i think, it`s an essential feature!

regards
roland









[EMAIL PROTECTED] schrieb am 16.11.03 20:51:49:
> 
> On 16 Nov 2003, at 20:06, [EMAIL PROTECTED] wrote:
> 
> > Hi !
> > since i use X only on localhost and open remote x-windows only via 
> > ssh-tunneling,
> > i wonder why my xserver is listening on 0.0.0.0:6000.
> > an interface binding to 127.0.0.1:6000 would be sufficient and more 
> > secure.
> > lets say i have 2 network interfaces - one connected to the internet 
> > and one to
> > the localnet. how can i configure X that it binds to 
> > localnet-interface only?
> 
> You can use the '-nolisten tcp' option suppress listening on tcp 
> completely in your
> case.
> If you're using xdm, you can add the option to /etc/X11/xdm/Xserver. If 
> you're using
> startx to start the server, you can use 'startx -- -nolisten tcp' or 
> create a ~/.xserverrc
> file to specify the option. See the Xserver(1) and xinit(1) manual 
> pages for more details.
> 
> ___
> XFree86 mailing list
> [EMAIL PROTECTED]
> http://XFree86.Org/mailman/listinfo/xfree86


__
WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und
nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130

___
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86


Re: [XFree86] interface bindings of x-server

2003-11-16 Thread Herrb Matthieu
On 16 Nov 2003, at 20:06, [EMAIL PROTECTED] wrote:

Hi !
since i use X only on localhost and open remote x-windows only via 
ssh-tunneling,
i wonder why my xserver is listening on 0.0.0.0:6000.
an interface binding to 127.0.0.1:6000 would be sufficient and more 
secure.
lets say i have 2 network interfaces - one connected to the internet 
and one to
the localnet. how can i configure X that it binds to 
localnet-interface only?
You can use the '-nolisten tcp' option suppress listening on tcp 
completely in your
case.
If you're using xdm, you can add the option to /etc/X11/xdm/Xserver. If 
you're using
startx to start the server, you can use 'startx -- -nolisten tcp' or 
create a ~/.xserverrc
file to specify the option. See the Xserver(1) and xinit(1) manual 
pages for more details.

___
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86