Re: Do you permit X11 via proxy firewall?

[jason () tacorp com]

> why is tunneling X through firewalls noticeably safer then just doing packet
> filtering to allow it through?
>
> if the only answer is becouse it prevents someone from intercepting and
> tinkering with the TCP datastream then it's only relavent in some situations and
> you are saying that in others it's perfectly safe to just do packet filtering.

Perhaps, it's not about safety but rather manageability.  It's a lot 
easier to manage that traffic if it's done as part of a single application 
rather than as a whole protocol suite and multiple ports.

If I recall correctly, X11 is one of those protocols that tries to 
negotiate ports rather than just using a fixed few.  This may be a bit of a 
hassle which may cause errors or having ports open that don't need to be.

I know it's lame to use the 'it's easier this way' excuse rather than just 
doing it right, but there is defiantly some benefit to having something 
that's easy to manage over something that's not.

Jason

> remember, just becouse everyone is doing it, it may not be safe.
>
> remember almost everyone thinks that firewalls are just packet filters and have
> no business actually looking at the packets that they let through.
>
> David Lang
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards