LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   XDMCP client and Fedora firewall (https://www.linuxquestions.org/questions/linux-security-4/xdmcp-client-and-fedora-firewall-473398/)

MichaelWhite 08-12-2006 11:50 PM
XDMCP client and Fedora firewall
 
Hi all,

I have two machines running on a network, one running Fedora Core 4 (the XDMCP client) and the other running Fedora Core 5 (the XDMCP server). I have the FC5 XDMCP server firewall configured correctly (allowing 177:udp & 6000:tcp), and if I run the FC4 XDMCP client without a firewall, everything works fine, i.e. I can run XDMCP chooser on the FC4 XDMCP client successfully, see the FC5 XDMCP server, and start an X session.

However, if I enable the firewall on the FC4 XDMCP client, the FC4 XDMCP chooser starts, but does not see the FC5 XDMCP client. If I start ethereal on the FC5 XDMCP client, here's what I see:

FC4 Client FC5 Server
-------- UDP Broadcast Query ---------->
Dest Port: 177
Src Port: 32773

<------- UDP Willing ------------------
Dest Port: 32773
Src Port: 177

-------- ICMP Dest Unreachable -------->

If I allow port 32773 on the FC4 XDMCP client, everything works fine. However, the FC4 XDMCP client port number is not always 32773.

Is it possible to run the Fedora firewall on an XDMCP client? If so, how do I do this? Is this similar to the NFS issues?

Thanks,
Michael White

unSpawn 08-18-2006 02:13 AM
Is it possible to run the Fedora firewall on an XDMCP client?
Sure, why not.


If so, how do I do this?
Three ways, AFAIK.
- One approach is to ditch XDMCP in favour of (Tight)VNC over SSH (or reasoned the other way: SSH can't forward UDP so you have to use VNC). Use this if you want a secure solution (eavesdropping) you can use on your LAN as well as from the outside. Next to that SSH can compress traffic and TightVNC is kinda lean too which should make performance kinda OK.
- If you want to use XDMCP anyway add -j LOG rules before you -j DROP stuff: that way you see what's dropped and you can then make exception rules. This is the next best approach since you adjust access based on actual traffic, it just might take a little period of tweakage.
- The "dumb" approach is to make exclusions for a range of ports anyway between server and client anyway: "if inbound traffic match state new,established,related and source/dest match from server to client and protocol match UDP port 117 or TCP port range 30000:35000, then accept". Only do this if you don't give a hoot about access restrictions and security and you are the only one using your LAN.


All times are GMT -5. The time now is 02:20 AM.