firewall problem with x server

I downloaded a firewall.rc script (cant remember where now but the link is on here somewhere)
Then I recompiled my kernel with iptables and some other ip stuff enabled and rebooted.
But no matter how i configured the firewall.rc it wouldnt startx - got error couldnt open listen server or some such.

Anyone else had this problem and found how to get around it?

I guess you have to exclude filtering of communication to and from X server (std port address 6000). If it's running on local host, enabling communication on loopback may be enough (/usr/sbin/iptables -A INPUT -i lo -j ACCEPT;/usr/sbin/iptables -A OUTPUT -i lo -j ACCEPT) .

Quote:

dive wrote : I downloaded a firewall.rc script (cant remember where now but the link is on here somewhere) Then I recompiled my kernel with iptables and some other ip stuff enabled and rebooted. But no matter how i configured the firewall.rc it wouldnt startx - got error couldnt open listen server or some such. Anyone else had this problem and found how to get around it?

Please, provided us more informations if you want to get help : the exact error message and your rc.firewall would be very helpful to us.

However, instead of using some firewall script which you have found somewhere on the web and which you are not able to understand (and so, to find any errors it could contain) , you can use well-known solutions such as the Easy Firewall Generator for iptables or FireStarter. If you wish to learn Iptables (which is the software use to set up a firewall with Linux), the Easy Firewall Generator could be a good starting point with the excellent Iptables tutorial written by Oskar Andreasson.

You may also try to boot your system with a standard Linux kernel as provided with Slackware Linux. May be you have disabled something you should not in your new kernel configuration. In fact, if I were you, I will start with a standard kernel to see if there is a problem with its configuration. And if the problem even happens with a standard kernel, I will try with a clean, new rc.firewall script.

-- LiNuCe

Before I recompile with iptables support again - I am wondering how much a firewall really is needed for my setup?
The only ports open are X on 6000 and CUPS on 631. I am not running sshd or any other services that would allow remote log on.

Are there any exploits that can run thru those 2 ports that I should protect against?

Quote:

dive wrote : (...) The only ports open are X on 6000 and CUPS on 631. I am not running sshd or any other services that would allow remote log on. Are there any exploits that can run thru those 2 ports that I should protect against?

As you already know it, the door of your house is closed to everyone, but when you need to allow a friend of yours to enter your house, you open the door and let him/her in. The same apply to your computer which is connected to the Internet : nobody needs to access it, unless you really need/want it. That is the reason why you should not have accessible port from the Internet. Now, you can decide to close these opened ports one by one and/or to use a firewall. To use a firewall, see my previous message.

How to close the standard X port ?

To close the standard X port (6000+), create the /etc/X11/xinit/xserverrc file, edit it and be sure it contains the following lines :

Code:

#!/bin/sh
exec /usr/X11R6/bin/X -nolisten tcp

Be sure it has proper permissions and ownership :

Code:

# chmod 755 /etc/X11/xinit/xserverrc
# chown root.root /etc/X11/xinit/xserverrc

Now, each time you will start X, it will not try to open any TCP port. The drawback of this solution is that you won't be able to connect to your computer from another one, but I doubt you really need it.

How to deny remote connection to the CUPS daemon ?

To be sure the CUPS daemon only listens on your local computer, you can edit the /etc/cups/cupsd.conf file and replace the following line :

Code:

Port 631

with :

Code:

Listen 127.0.0.1:631

After the change, you can connect to the CUPS daemon at http://127.0.0.1:631.

-- LiNuCe

Thanks for those tips - I think thats just what I need