Hi !
> You can get similar effects via the above mentioned -nolisten/ssh combo,
mhhh - generally (especially on unix) this should work - BUT:
e.g. i often use cygwin xfree86 and putty on a windoze box. how can i tell putty to
use the
socket, cygwin xfree86 creates ? i think putty isn`t "unix domain socket aware" -
isn`t it ?
should i really blame putty now? ;)
BTW: this issue came to my mind because while evaluating NX from nomachine on my
home-pc, my kerio firewall popped up and told me: hey, someone trying to connect to
port 6000 from the internet (no - not the NX server - just an IP originating from
rr.com). since i used "secure" options inside NX-Client i wondered: why is Xwin.exe
(the cygwin port of xfree86, which comes with nx-client) bound to 0.0.0.0:6000 at all?
all other processes of nx are bound to localhost only - and since NX does some sort of
"tunneling", binding of xwin.exe to localhost would be sufficient. so i searched for
an option, but didn`t find. ok - i didn`t discuss this with the nomachine people yet
- maybe -nolisten tcp is an option there, because their "customized" ssh-client is
cygwin based, too.
> or with a firewall, so it's not been high enough priority for anyone to
mhh - from the point of view of an security aware sysadmin: a port,which isn`t
listening and reachable from the internet doesn`t need to be protected by a firewall.
every (unnecessary) listening port to the outside world is one port too much -
regardless if you have a firewall or not.
> write the code to do that. (I did actually put code like this in xdm for
> controlling which interfaces to listen on for XDMCP connections
> when I was doing the IPv6 work, but that only deals with XDMCP protocol
> connections, not the X protocol itself.)
thats fine regarding xdm - but i really would love to see it in Xserver too ;)
> Also, most of the apps that support this are designed to run on machines
> that connect to both internal and external networks, and those machines
> often don't run X.
mhh - i think being able to specify the interface is just a matter of "good design of
network server apps" in general, IMHO.
I have had several multi-interface issues with all sorts of server-apps where i just
banged my head against the wall, because of the programmer of that app didn`t keep in
mind, that his app could be used in multi-interface scenarios or being used by
security aware persons. (maybe it`s mostly just by the fact, that a programmer has a
very different "philosophy" regarding this or because he just isn`t aware, that there
are "multi homed hosts" or security aware persons in the real world). this fact really
gave me headache several times in my admin life and led me to my personal conclusion:
network server application? yes - but PLEASE let me configure the interfaces bindings
! :)
regards
roland
-
[EMAIL PROTECTED] wrote:
>>You can use the '-nolisten tcp' option suppress listening on tcp
>>completely in your case.
>
> ok - thanks - but how should anything connect then to a listening socket, if it
> isn`t able to talk
> to the xserver via bsd socket or whatever other method(i don`t know)?
-nolisten tcp only disables tcp sockets - you can still connect to :0
using the Unix domain socket, and then let ssh forwarding take care of
all remote connections.
> i`m system administrator and most "well designed" server-apps support a configure
> option to bind to specific interfaces. apache, mysql, samba - i can let them all run
> on specific interface:port . so should X, IMHO
> if this feature isn`t already "inside" X - hasn`t this been a feature request
> already?
> i think, it`s an essential feature!
You can get similar effects via the above mentioned -nolisten/ssh combo,
or with a firewall, so it's not been high enough priority for anyone to
write the code to do that. (I did actually put code like this in xdm for
controlling which interfaces to listen on for XDMCP connections
when I was doing the IPv6 work, but that only deals with XDMCP protocol
connections, not the X protocol itself.)
Also, most of the apps that support this are designed to run on machines
that connect to both internal and external networks, and those machines
often don't run X.
--
-Alan Coopersmith- [EMAIL PROTECTED]
Sun Microsystems, Inc. - Sun Software Group
User Experience Engineering: G11N: X Window System
__
Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2
Kostenlos downloaden: http://screensaver.web.de/?mc=021110
___
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86