LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-12-2006, 11:50 PM   #1
MichaelWhite
LQ Newbie
 
Registered: Aug 2006
Posts: 2

Rep: Reputation: 0
XDMCP client and Fedora firewall


Hi all,

I have two machines running on a network, one running Fedora Core 4 (the XDMCP client) and the other running Fedora Core 5 (the XDMCP server). I have the FC5 XDMCP server firewall configured correctly (allowing 177:udp & 6000:tcp), and if I run the FC4 XDMCP client without a firewall, everything works fine, i.e. I can run XDMCP chooser on the FC4 XDMCP client successfully, see the FC5 XDMCP server, and start an X session.

However, if I enable the firewall on the FC4 XDMCP client, the FC4 XDMCP chooser starts, but does not see the FC5 XDMCP client. If I start ethereal on the FC5 XDMCP client, here's what I see:

FC4 Client FC5 Server
-------- UDP Broadcast Query ---------->
Dest Port: 177
Src Port: 32773

<------- UDP Willing ------------------
Dest Port: 32773
Src Port: 177

-------- ICMP Dest Unreachable -------->

If I allow port 32773 on the FC4 XDMCP client, everything works fine. However, the FC4 XDMCP client port number is not always 32773.

Is it possible to run the Fedora firewall on an XDMCP client? If so, how do I do this? Is this similar to the NFS issues?

Thanks,
Michael White
 
Old 08-18-2006, 02:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Is it possible to run the Fedora firewall on an XDMCP client?
Sure, why not.


If so, how do I do this?
Three ways, AFAIK.
- One approach is to ditch XDMCP in favour of (Tight)VNC over SSH (or reasoned the other way: SSH can't forward UDP so you have to use VNC). Use this if you want a secure solution (eavesdropping) you can use on your LAN as well as from the outside. Next to that SSH can compress traffic and TightVNC is kinda lean too which should make performance kinda OK.
- If you want to use XDMCP anyway add -j LOG rules before you -j DROP stuff: that way you see what's dropped and you can then make exception rules. This is the next best approach since you adjust access based on actual traffic, it just might take a little period of tweakage.
- The "dumb" approach is to make exclusions for a range of ports anyway between server and client anyway: "if inbound traffic match state new,established,related and source/dest match from server to client and protocol match UDP port 117 or TCP port range 30000:35000, then accept". Only do this if you don't give a hoot about access restrictions and security and you are the only one using your LAN.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Free XDMCP client for windows? jon_k Linux - Software 9 02-25-2010 11:38 PM
xdmcp over internet (and behind router firewall) TheOneAndOnlySM Linux - General 5 12-04-2008 11:52 AM
connect to my xdmcp server from a client behind a firewall zooper Linux - Networking 1 08-04-2006 03:40 PM
Login problems with XDMCP from a pre-RHEL-4 client to a RHEL-4 server running KDE cspao Red Hat 0 07-21-2006 06:30 AM
XDMCP - looking for FREE client syx Linux - Software 1 03-24-2004 05:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration