• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11)

  • Subject: Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11)
  • From: Rui Carmo <email@hidden>
  • Date: Sat, 1 Feb 2003 23:27:12 +0000
On Sabado, Fev 1, 2003, at 21:16 Europe/Lisbon, Jonas Maebe wrote:

On Sat, 1 Feb 2003, Rui Carmo wrote:

Which reminds me (to the Apple people on this list) that adding a
firewall setting (on Preferences|Sharing|Firewall) to block port 6000
might be of some interest.

Blocking specific ports is bad firewall policy.You should block all ports
and open only the ones that you need. And guess what: that's exactly what
Apple does :) So currently, there is actually no default rule to unblock
6000 instead of the other way round.

Hum. Just made a fool of myself. Tends to happen every once in a while, so I guess I was due this week.

Let me rephrase my original line of thought, then. Since I don't actually use the Apple firewall settings (and have been trained to distrust any vendor's security settings out of the box, mostly due to years of Sun and NT use), I was actually under the impression the GUI actually expressed explicit blocks.

Gotta use the mouse more often, I guess, and stop fiddling with ipf/ipchains/iptables :)

I actually live behind a one-way Linux NAT setup that only allows SSH in to a specific box and follows that cardinal rule - denies everything else (with snort and flexresp added in for good measure), so I really should know better.

Nevertheless, X is still too damn insecure to trust the user to activate the _whole_ firewall, so maybe it should bind to the domain socket _only_ by default, and have some setting for enabling TCP listen on 6000.

R.
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/x11-users
X11 for Mac OS X FAQ: http://developer.apple.com/qa/qa2001/qa1232.html
Report issues, request features, feedback: http://developer.apple.com/bugreporter
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11) (From: Jonas Maebe <email@hidden>)

  • Prev by Date: Re: Raise-on-Focus
  • Next by Date: SSH helper, then? (Was: I really should check my glasses before reading the Firewall pref pane)
  • Previous by thread: Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11)
  • Next by thread: Re: Do consider blocking port 6000 on the next installer (Was: Re: setenv in X11)
  • Index(es):
    • Date
    • Thread