Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-12-2006, 11:50 PM   #1
LQ Newbie
Registered: Aug 2006
Posts: 2

Rep: Reputation: 0
XDMCP client and Fedora firewall

Hi all,

I have two machines running on a network, one running Fedora Core 4 (the XDMCP client) and the other running Fedora Core 5 (the XDMCP server). I have the FC5 XDMCP server firewall configured correctly (allowing 177:udp & 6000:tcp), and if I run the FC4 XDMCP client without a firewall, everything works fine, i.e. I can run XDMCP chooser on the FC4 XDMCP client successfully, see the FC5 XDMCP server, and start an X session.

However, if I enable the firewall on the FC4 XDMCP client, the FC4 XDMCP chooser starts, but does not see the FC5 XDMCP client. If I start ethereal on the FC5 XDMCP client, here's what I see:

FC4 Client FC5 Server
-------- UDP Broadcast Query ---------->
Dest Port: 177
Src Port: 32773

<------- UDP Willing ------------------
Dest Port: 32773
Src Port: 177

-------- ICMP Dest Unreachable -------->

If I allow port 32773 on the FC4 XDMCP client, everything works fine. However, the FC4 XDMCP client port number is not always 32773.

Is it possible to run the Fedora firewall on an XDMCP client? If so, how do I do this? Is this similar to the NFS issues?

Michael White
Old 08-18-2006, 02:13 AM   #2
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Is it possible to run the Fedora firewall on an XDMCP client?
Sure, why not.

If so, how do I do this?
Three ways, AFAIK.
- One approach is to ditch XDMCP in favour of (Tight)VNC over SSH (or reasoned the other way: SSH can't forward UDP so you have to use VNC). Use this if you want a secure solution (eavesdropping) you can use on your LAN as well as from the outside. Next to that SSH can compress traffic and TightVNC is kinda lean too which should make performance kinda OK.
- If you want to use XDMCP anyway add -j LOG rules before you -j DROP stuff: that way you see what's dropped and you can then make exception rules. This is the next best approach since you adjust access based on actual traffic, it just might take a little period of tweakage.
- The "dumb" approach is to make exclusions for a range of ports anyway between server and client anyway: "if inbound traffic match state new,established,related and source/dest match from server to client and protocol match UDP port 117 or TCP port range 30000:35000, then accept". Only do this if you don't give a hoot about access restrictions and security and you are the only one using your LAN.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Free XDMCP client for windows? jon_k Linux - Software 9 02-25-2010 11:38 PM
xdmcp over internet (and behind router firewall) TheOneAndOnlySM Linux - General 5 12-04-2008 11:52 AM
connect to my xdmcp server from a client behind a firewall zooper Linux - Networking 1 08-04-2006 03:40 PM
Login problems with XDMCP from a pre-RHEL-4 client to a RHEL-4 server running KDE cspao Red Hat 0 07-21-2006 06:30 AM
XDMCP - looking for FREE client syx Linux - Software 1 03-24-2004 05:03 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:19 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration