Firewall Wizards mailing list archives
Re: Do you permit X11 via proxy firewall? (fwd)
From: dlang () diginsite com
Date: Mon, 10 Sep 2007 09:30:39 -0700 (PDT)
On Thu, 6 Sep 2007, jason () tacorp com wrote:
why is tunneling X through firewalls noticeably safer then just doing packet filtering to allow it through? if the only answer is becouse it prevents someone from intercepting and tinkering with the TCP datastream then it's only relavent in some situations and you are saying that in others it's perfectly safe to just do packet filtering.Perhaps, it's not about safety but rather manageability. It's a lot easier to manage that traffic if it's done as part of a single application rather than as a whole protocol suite and multiple ports. If I recall correctly, X11 is one of those protocols that tries to negotiate ports rather than just using a fixed few. This may be a bit of a hassle which may cause errors or having ports open that don't need to be.
X11 uses port 6000 for the first display on a computer, 6001 for the second, etc. but since almost nothing uses multiple displays nowdays port 6000 should be the only thing you need (multiple monitors with one desktop across them count as one display) David Lang
I know it's lame to use the 'it's easier this way' excuse rather than just doing it right, but there is defiantly some benefit to having something that's easy to manage over something that's not. Jasonremember, just becouse everyone is doing it, it may not be safe. remember almost everyone thinks that firewalls are just packet filters and have no business actually looking at the packets that they let through. David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Do you permit X11 via proxy firewall? (fwd) dlang (Sep 10)