How would i allow xwindows and xdmcp through would it be ACCEPT net -> fw all 117 and ACCEPT net -> fw all 6000:6100 ? and for that matter how would i stop x traffic from leaving the fw machine? REJECT fw -> net all 6000:6100 ?
Cary Wells wrote:> How would i allow xwindows and xdmcp through would it be ACCEPT net > -> fw all 117andACCEPT net -> fw all 6000:6100?and for that matter > how would i stop x traffic from leaving the fw machine? REJECT fw -> > net all 6000:6100?It''s not really a good idea to let X11 through your firewall. Use ssh and tunnel X11 inside it. Paul http://paulgear.webhop.net
As Paul says, tunneling through ssh is a better approach. If you still want to go ahead: ACCEPT net fw udp 6000:6010 # Allows up to 10 remote X terminals to connect ACCEPT net fw udp 177 My recommendation for the firewall machine is to have a fw->net policy of REJECT and then use rules to specify what you want to allow to leave that system. To stop X from leaving: REJECT fw net udp 6000:6100 You cannot specify a port range with PROTOCOL=all. iptables won''t allow it so neither does Shorewall. -Tom -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells Sent: Wednesday, February 06, 2002 7:17 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] X windows How would i allow xwindows and xdmcp through would it be ACCEPT net -> fw all 117 and ACCEPT net -> fw all 6000:6100 ? and for that matter how would i stop x traffic from leaving the fw machine? REJECT fw -> net all 6000:6100 ?
Steve Cowles has pointed out that the rules that I sent are backwards (X is always confusing in that regard because the server runs on the client machine) and that X uses TCP, not UDP. The rules should have been: ACCEPT fw net tcp 6000:6010 # Allows firewall to create 10 (concurrent) outbound X sessions either from XDMCP requests or from rsh/telnet. ACCEPT net fw udp 177 # Allow XDMCP queries Sorry for the confusion... -Tom -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, February 07, 2002 6:59 AM To: ''Cary Wells''; shorewall-users@shorewall.net Subject: RE: [Shorewall-users] X windows As Paul says, tunneling through ssh is a better approach. If you still want to go ahead: ACCEPT net fw udp 6000:6010 # Allows up to 10 remote X terminals to connect ACCEPT net fw udp 177 My recommendation for the firewall machine is to have a fw->net policy of REJECT and then use rules to specify what you want to allow to leave that system. To stop X from leaving: REJECT fw net udp 6000:6100 You cannot specify a port range with PROTOCOL=all. iptables won''t allow it so neither does Shorewall. -Tom -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells Sent: Wednesday, February 06, 2002 7:17 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] X windows How would i allow xwindows and xdmcp through would it be ACCEPT net -> fw all 117 and ACCEPT net -> fw all 6000:6100 ? and for that matter how would i stop x traffic from leaving the fw machine? REJECT fw -> net all 6000:6100 ?
Possibly in the future when I get the boss talked into it and i teach the students how to do it but for now I need it to pop up on xdmcp and even these rules are not working. the X is working if i start it from a ssh but the xdmcp is not getting out. in the messages i get it being blocked with src port 117 and dpt random ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "''Cary Wells''" <cary.wells@shaw.ca>; <shorewall-users@shorewall.net> Cc: "''Cowles, Steve''" <Steve@SteveCowles.com> Sent: Thursday, February 07, 2002 10:32 AM Subject: RE: [Shorewall-users] X windows> Steve Cowles has pointed out that the rules that I sent are backwards (X > is always confusing in that regard because the server runs on the client > machine) and that X uses TCP, not UDP. > > The rules should have been: > > ACCEPT fw net tcp 6000:6010 # Allows firewall to create > 10 (concurrent) outbound X sessions either from XDMCP requests or from > rsh/telnet. > > ACCEPT net fw udp 177 # Allow XDMCP queries > > Sorry for the confusion... > > -Tom
You keep mentioning port 117 but XDMCP uses port 177 -- is your chooser mis-configured? Also, XDMCP gets "in" not "out" -- it is sent from the system running the X server; the connection manager (xdm, kdm, gdm, etc.) listens on that port. Please post one of these Shorewall messages from you log. -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells > Sent: Friday, February 08, 2002 5:13 PM > To: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] X windows > > > Possibly in the future when I get the boss talked into it and > i teach the > students how to do it but for now I need it to pop up on > xdmcp and even > these rules are not working. the X is working if i start it > from a ssh but > the xdmcp is not getting out. in the messages i get it being > blocked with > src port 117 and dpt random > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "''Cary Wells''" <cary.wells@shaw.ca>; > <shorewall-users@shorewall.net> > Cc: "''Cowles, Steve''" <Steve@SteveCowles.com> > Sent: Thursday, February 07, 2002 10:32 AM > Subject: RE: [Shorewall-users] X windows > > > > Steve Cowles has pointed out that the rules that I sent are > backwards (X > > is always confusing in that regard because the server runs > on the client > > machine) and that X uses TCP, not UDP. > > > > The rules should have been: > > > > ACCEPT fw net tcp 6000:6010 # Allows > firewall to create > > 10 (concurrent) outbound X sessions either from XDMCP > requests or from > > rsh/telnet. > > > > ACCEPT net fw udp 177 # Allow XDMCP queries > > > > Sorry for the confusion... > > > > -Tom > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
***from messages*** Feb 8 16:49:55 bioinfo kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=firewall DST=X server machine LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=177 DPT=3949 LEN=57 ***from rule*** ACCEPT net fw udp 177 ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "''Cary Wells''" <cary.wells@shaw.ca>; <shorewall-users@shorewall.net> Sent: Friday, February 08, 2002 6:33 PM Subject: RE: [Shorewall-users] X windows> You keep mentioning port 117 but XDMCP uses port 177 -- is your chooser > mis-configured? Also, XDMCP gets "in" not "out" -- it is sent from the > system running the X server; the connection manager (xdm, kdm, gdm, > etc.) listens on that port. Please post one of these Shorewall messages > from you log. >
What does "shorewall show fw2net" show? -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells > Sent: Friday, February 08, 2002 5:41 PM > To: Tom Eastep; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] X windows > > > ***from messages*** > Feb 8 16:49:55 bioinfo kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=firewall DST=X server machine LEN=77 TOS=0x00 PREC=0x00 > TTL=64 ID=0 DF > PROTO=UDP SPT=177 DPT=3949 LEN=57 > > ***from rule*** > ACCEPT net fw udp 177 > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "''Cary Wells''" <cary.wells@shaw.ca>; > <shorewall-users@shorewall.net> > Sent: Friday, February 08, 2002 6:33 PM > Subject: RE: [Shorewall-users] X windows > > > > You keep mentioning port 117 but XDMCP uses port 177 -- is > your chooser > > mis-configured? Also, XDMCP gets "in" not "out" -- it is > sent from the > > system running the X server; the connection manager (xdm, kdm, gdm, > > etc.) listens on that port. Please post one of these > Shorewall messages > > from you log. > > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Under the assumption that connection tracking may not do the correct thing with broadcast packets, try the following in your rules file; it will definitely pass the packets reported in the log message that you posted: ACCEPT fw net udp - 177 -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells > Sent: Friday, February 08, 2002 5:41 PM > To: Tom Eastep; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] X windows > > > ***from messages*** > Feb 8 16:49:55 bioinfo kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=firewall DST=X server machine LEN=77 TOS=0x00 PREC=0x00 > TTL=64 ID=0 DF > PROTO=UDP SPT=177 DPT=3949 LEN=57 > > ***from rule*** > ACCEPT net fw udp 177 > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "''Cary Wells''" <cary.wells@shaw.ca>; > <shorewall-users@shorewall.net> > Sent: Friday, February 08, 2002 6:33 PM > Subject: RE: [Shorewall-users] X windows > > > > You keep mentioning port 117 but XDMCP uses port 177 -- is > your chooser > > mis-configured? Also, XDMCP gets "in" not "out" -- it is > sent from the > > system running the X server; the connection manager (xdm, kdm, gdm, > > etc.) listens on that port. Please post one of these > Shorewall messages > > from you log. > > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
that did it ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "''Cary Wells''" <cary.wells@shaw.ca>; <shorewall-users@shorewall.net> Sent: Friday, February 08, 2002 7:29 PM Subject: RE: [Shorewall-users] X windows> Under the assumption that connection tracking may not do the correct > thing with broadcast packets, try the following in your rules file; it > will definitely pass the packets reported in the log message that you > posted: > > ACCEPT fw net udp - 177 > > -Tom > > > -----Original Message----- > > From: shorewall-users-admin@shorewall.net > > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Cary Wells > > Sent: Friday, February 08, 2002 5:41 PM > > To: Tom Eastep; shorewall-users@shorewall.net > > Subject: Re: [Shorewall-users] X windows > > > > > > ***from messages*** > > Feb 8 16:49:55 bioinfo kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > > SRC=firewall DST=X server machine LEN=77 TOS=0x00 PREC=0x00 > > TTL=64 ID=0 DF > > PROTO=UDP SPT=177 DPT=3949 LEN=57 > > > > ***from rule*** > > ACCEPT net fw udp 177 > > > > > > ----- Original Message ----- > > From: "Tom Eastep" <teastep@shorewall.net> > > To: "''Cary Wells''" <cary.wells@shaw.ca>; > > <shorewall-users@shorewall.net> > > Sent: Friday, February 08, 2002 6:33 PM > > Subject: RE: [Shorewall-users] X windows > > > > > > > You keep mentioning port 117 but XDMCP uses port 177 -- is > > your chooser > > > mis-configured? Also, XDMCP gets "in" not "out" -- it is > > sent from the > > > system running the X server; the connection manager (xdm, kdm, gdm, > > > etc.) listens on that port. Please post one of these > > Shorewall messages > > > from you log. > > > > > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > >