[IRIX 6.5.x] disabling X11 (6000/tcp) and XDMCP ports - SGI

This is a discussion on [IRIX 6.5.x] disabling X11 (6000/tcp) and XDMCP ports - SGI ; Hello! Is there a way to close X11 ports (6000 through 6009) and the XDMCP listener on IRIX 6.5.x? I do not really need those ports open. Currently, XDMCP service is "closed" in /var/X11/xdm/Xaccess: $ pwd /var/X11/xdm $ grep -v ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [IRIX 6.5.x] disabling X11 (6000/tcp) and XDMCP ports

  1. [IRIX 6.5.x] disabling X11 (6000/tcp) and XDMCP ports

    Hello!

    Is there a way to close X11 ports (6000 through 6009) and the XDMCP
    listener on IRIX 6.5.x? I do not really need those ports open.

    Currently, XDMCP service is "closed" in /var/X11/xdm/Xaccess:

    $ pwd
    /var/X11/xdm
    $ grep -v ^# Xaccess

    $

    The output of netstat(1) shows listeners on those ports yet:

    $ netstat -a
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q Local Address Foreign Address (state)
    tcp4 0 0 *.sunrpc *.* LISTEN
    tcp4 0 0 localhost.sunrpc *.* LISTEN
    tcp4 0 0 *.1024 *.* LISTEN
    tcp4 0 0 *.1025 *.* LISTEN
    tcp4 0 0 *.22 *.* LISTEN
    tcp4 0 0 *.1027 *.* LISTEN
    tcp4 0 0 *.x-server *.* LISTEN
    tcp4 0 0 matrix.ciencias..1366 condmat1..22 ESTABLISHED
    tcp4 0 0 matrix.ciencias..1590 condmat1..22 ESTABLISHED
    udp4 0 0 *.1025 *.*
    udp4 0 0 localhost.1027 *.*
    udp4 0 0 *.1028 *.*
    udp4 0 0 *.sunrpc *.*
    udp4 0 0 localhost.sunrpc *.*
    udp4 0 0 *.xdmcp *.*
    udp4 0 0 *.682 *.*
    udp4 0 0 *.683 *.*
    udp4 0 0 *.684 *.*
    udp4 0 0 *.685 *.*
    udp4 0 0 *.686 *.*
    udp4 0 0 *.687 *.*
    Active UNIX domain sockets
    Address Type Recv-Q Send-Q Vnode Conn Refs Nextref Addr
    94e35c00 stream 0 0 0 8a14d500 0 0 /tmp/.Xsgishmsrv0
    96038800 stream 0 0 8b5d7b40 93eb1840 0 0 /var/tmp/.Xsgishm/cli27-16332
    8da82e00 stream 0 0 0 8875df40 0 0 /tmp/.X11-unix/X0
    8ede8600 stream 0 0 0 8875d5c0 0 0
    [...]

    I am interested in closing those ports, not filtering the ports
    themselves using a firewall or TCP wrappers. Perhaps there is
    an option to Xsgi(1) for not listening on those ports, but I have
    not found it.

    Thanks!
    Igor.


  2. Re: [IRIX 6.5.x] disabling X11 (6000/tcp) and XDMCP ports

    Igor Sobrado wrote:
    > I am interested in closing those ports, not filtering the ports
    > themselves using a firewall or TCP wrappers. Perhaps there is
    > an option to Xsgi(1) for not listening on those ports, but I have
    > not found it.


    As there are not replies to my post I suppose that closing those
    ports is not possible in IRIX. I finally installed IP Filter and
    configured some simple rules to make my workstation friendly but
    a bit more secure:

    # ipf.conf provides rules to control filtering using IPFilter
    #
    # see IPFilter relnotes for further information on configuration
    # see /usr/ipfilter/doc/ipf-howto.txt for explanation of rules
    #
    block in quick all with ipopts
    block in quick proto tcp all with short

    pass out quick on lo0 all
    pass in quick on lo0 all

    block out quick on ec0 all head 1
    block out quick from any to 127.0.0.0/8 group 1
    block out quick from any to 0.0.0.0/8 group 1
    block out quick from any to 10.0.0.0/8 group 1
    block out quick from any to 172.16.0.0/12 group 1
    block out quick from any to 192.168.0.0/16 group 1
    pass out quick proto tcp/udp from any to any keep state group 1
    pass out quick proto icmp from any to any keep state group 1

    block in quick on ec0 all head 2
    block in quick from 127.0.0.0/8 to any group 2
    block in quick from 0.0.0.0/8 to any group 2
    block in quick from 10.0.0.0/8 to any group 2
    block in quick from 172.16.0.0/12 to any group 2
    block in quick from 192.168.0.0/16 to any group 2
    block in proto tcp from any to any flags S/SA group 2
    pass in quick proto tcp from any to any port = 22 flags S keep state group 2
    block in proto icmp all group 2
    pass in quick proto icmp from any to any icmp-type echo group 2
    pass in quick proto icmp from any to any icmp-type echorep group 2

    block return-rst in quick proto tcp all
    block return-icmp-as-dest(port-unr) in quick on ec0 proto udp all

    block in on ec0 all

    Any advice on those rules (or the way to close those unwanted ports)
    will be highly appreciated!

    Cheers,
    Igor.


+ Reply to Thread