Re: [fw-wiz] Do you permit X11 via proxy firewall? (fwd)

From: dlang@xxxxxxxxxxxxx
Date: Mon, 10 Sep 2007 09:30:39 -0700 (PDT)

On Thu, 6 Sep 2007, jason@xxxxxxxxxx wrote:

why is tunneling X through firewalls noticeably safer then just doing packet
filtering to allow it through?

if the only answer is becouse it prevents someone from intercepting and
tinkering with the TCP datastream then it's only relavent in some situations
and
you are saying that in others it's perfectly safe to just do packet
filtering.

Perhaps, it's not about safety but rather manageability. It's a lot
easier to manage that traffic if it's done as part of a single application
rather than as a whole protocol suite and multiple ports.

If I recall correctly, X11 is one of those protocols that tries to
negotiate ports rather than just using a fixed few. This may be a bit of a
hassle which may cause errors or having ports open that don't need to be.

X11 uses port 6000 for the first display on a computer, 6001 for the second,
etc. but since almost nothing uses multiple displays nowdays port 6000 should
be the only thing you need (multiple monitors with one desktop across them
count as one display)

David Lang

I know it's lame to use the 'it's easier this way' excuse rather than just
doing it right, but there is defiantly some benefit to having something
that's easy to manage over something that's not.

Jason

remember, just becouse everyone is doing it, it may not be safe.

remember almost everyone thinks that firewalls are just packet filters and
have
no business actually looking at the packets that they let through.

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Prev by Date: Re: [fw-wiz] Isolating internal servers behind firewalls
Next by Date: Re: [fw-wiz] Do you permit X11 via proxy firewall?
Previous by thread: Re: [fw-wiz] IPv6 support in firewalls
Next by thread: [fw-wiz] VPN Issue with Certs and fragmentation
Index(es):
- Date
- Thread

Relevant Pages

Re: Netscreen 5GT for home network?
... > the limited outbound control available on the Linksys, ... > like to have some content filtering available. ... > DHCP ... > puts all 4 ports into one security zone called Trust. ...
(comp.security.firewalls)
Re: UDP Scanning - how nmap really works
... > Seen as this method cannot be used, it does not seem feasible for nmap to generate any meaningful information in this ... > situation yet somehow it is differentiating between filtered and open udp ports. ... So how does it match PORT_FIREWALLED in UDP scanning? ... and still is marginally useful in internal networks with no filtering going on. ...
(Pen-Test)
Re: How block socket ports
... I would advise against the IPsec filtering that comes with Windows 2000 as ... install all microsoft security patches, sign up for the microsoft newsletter ... on ports basis. ...
(microsoft.public.win2000.security)
Re: IPSec: Network sooo slooooow
... > to use ipsec filtering to secure domain controllers. ... > to the Windows 2003 Security Guide. ... > that are not in the same forest, all of the preceding ports for Windows NT ...
(microsoft.public.windows.server.networking)
Firewall Identification via nmap SYN, Stealth FIN, Xmas Tree, and Null scans
... me) is filtering traffic on the target network. ... I was wondering if there were any ways of identifying the firewall ... Here's the data set I'm working with (6 common TCP ports), ... 80/tcp filtered http ...
(comp.security.misc)