Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Do you permit X11 via proxy firewall? (fwd)

From: dlang () diginsite com
Date: Mon, 10 Sep 2007 09:30:39 -0700 (PDT)
On Thu, 6 Sep 2007, jason () tacorp com wrote:


why is tunneling X through firewalls noticeably safer then just doing packet
filtering to allow it through?

if the only answer is becouse it prevents someone from intercepting and
tinkering with the TCP datastream then it's only relavent in some situations 
and
you are saying that in others it's perfectly safe to just do packet 
filtering.


Perhaps, it's not about safety but rather manageability.  It's a lot
easier to manage that traffic if it's done as part of a single application
rather than as a whole protocol suite and multiple ports.

If I recall correctly, X11 is one of those protocols that tries to
negotiate ports rather than just using a fixed few.  This may be a bit of a
hassle which may cause errors or having ports open that don't need to be.


X11 uses port 6000 for the first display on a computer, 6001 for the second, 
etc. but since almost nothing uses multiple displays nowdays port 6000 should 
be the only thing you need (multiple monitors with one desktop across them 
count as one display)

David Lang


I know it's lame to use the 'it's easier this way' excuse rather than just
doing it right, but there is defiantly some benefit to having something
that's easy to manage over something that's not.

Jason



remember, just becouse everyone is doing it, it may not be safe.

remember almost everyone thinks that firewalls are just packet filters and 
have
no business actually looking at the packets that they let through.

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: