Re: [fw-wiz] Do you permit X11 via proxy firewall?

On Fri, 7 Sep 2007, ArkanoiD wrote:

On Wed, Sep 05, 2007 at 04:48:46PM -0700, dlang@xxxxxxxxxxxxx wrote:
On Thu, 6 Sep 2007, ArkanoiD wrote:

That's most practical, almost everyone is doing that.
So we can declare x11 gateways officially dead, i guess.

On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
And, if yes, how do you implement it?

No, that's what 'ssh -X' is for.

why is tunneling X through firewalls noticably safer then just doing packet
filtering to allow it through?

Because it ensures proper endpoint authentication, encryption and ensures
(well, to some extent) that no malicious connections will be made through
the tunnel. At least does it better as packet filtering rules are static.

The same rationale applies for x11 gateways: most of them present a kind
of confirmation dialog for every new client connection.

I agree with the value of the authorization/authentication. encryption can be
valuble in some environments, in others it just eats up CPU cycles.

if the only answer is becouse it prevents someone from intercepting and
tinkering with the TCP datastream then it's only relavent in some situations
you are saying that in others it's perfectly safe to just do packet

remember, just becouse everyone is doing it, it may not be safe.

It is not, as nothing is safe, but sometimes it is acceptable risk ;-)

I agree, however I see a mindset creeping in that if you just encrypt it then
it must be safe, and so I question statements like 'X is unsafe, but if you
tunnel it through SSH then it's safe'

by the way, for those who are new to X, it allows programs to communicate with
each other, even from different machines if they share a display. for a trivial
example of this take two linux boxes, configure them to both use the same
display (through whatever mechanism, including through SSH). then try to
startup firefox on both machines (ideally, pass it a URL to start with)

what you will find is that when you try to start it up on the second machine it
detects that you already have it running on the first machine and instruct that
copy of firefox to open a window to the URL you told the second machine to

David Lang

remember almost everyone thinks that firewalls are just packet filters and
no business actually looking at the packets that they let through.

Not us ;-)

firewall-wizards mailing list

firewall-wizards mailing list