This is a discussion on Re: [fw-wiz] Do you permit X11 via proxy firewall? (fwd) - Firewalls ; On Thu, 6 Sep 2007, email@example.com wrote: >> why is tunneling X through firewalls noticeably safer then just doing packet >> filtering to allow it through? >> >> if the only answer is becouse it prevents someone from intercepting and ...
On Thu, 6 Sep 2007, firstname.lastname@example.org wrote:
>> why is tunneling X through firewalls noticeably safer then just doing packet
>> filtering to allow it through?
>> if the only answer is becouse it prevents someone from intercepting and
>> tinkering with the TCP datastream then it's only relavent in some situations
>> you are saying that in others it's perfectly safe to just do packet
> Perhaps, it's not about safety but rather manageability. It's a lot
> easier to manage that traffic if it's done as part of a single application
> rather than as a whole protocol suite and multiple ports.
> If I recall correctly, X11 is one of those protocols that tries to
> negotiate ports rather than just using a fixed few. This may be a bit of a
> hassle which may cause errors or having ports open that don't need to be.
X11 uses port 6000 for the first display on a computer, 6001 for the second,
etc. but since almost nothing uses multiple displays nowdays port 6000 should
be the only thing you need (multiple monitors with one desktop across them
count as one display)
> I know it's lame to use the 'it's easier this way' excuse rather than just
> doing it right, but there is defiantly some benefit to having something
> that's easy to manage over something that's not.
>> remember, just becouse everyone is doing it, it may not be safe.
>> remember almost everyone thinks that firewalls are just packet filters and
>> no business actually looking at the packets that they let through.
>> David Lang
>> firewall-wizards mailing list
> firewall-wizards mailing list
firewall-wizards mailing list