• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Firewall rule for X11 usage
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall rule for X11 usage

  • Subject: Re: Firewall rule for X11 usage
  • From: Sean Ahern <email@hidden>
  • Date: Thu, 16 Jan 2003 12:03:53 -0800
Daniel Eggert wrote:
> You do _not_ need to change _any_ firewall settings to use X11 through
> ssh if ssh is already working.  That's the whole idea of X11 forwarding
> in ssh -- everything will go through your ssh session on port 22.
>
> It is a _bad_ idea to open ports 6000-60xx and connect directly through
> this.  Anybody listening to you connecting will see all key presses in
> clear text.  Just think of, what this means when you enter passwords.
>
> BTW: Using X11 forward in ssh saves you a lot of trouble setting things
> up.

Yes, there have been a lot of answers to this.  I wonder if it should be
turned into a FAQ.  You provided a good summary of the ssh forwarding
concept.  But you didn't summarize the rest.

Ssh does encryption and compression of the stream.  The encryption is why
it's secure, but it can make the connection very slow.  In my experience,
and that of pretty much everyone else I work with, the delays necessitated
by ssh encoding make the connection tremendously slower than if you bypass
ssh.  You may want to try turning on compression in ssh (with the -C option
or a config file setting).  It will very much depend on the bandwidth of
your network.

However, if you bypass ssh, you have to ensure security.  As Mr. Eggert
mentioned, if you do not secure your connection somehow, you've pretty much
opened your machine to anyone who cares to listen.  Even the keyboard
"locking" that xterm provides does not protect you from snoopers.

X11 has a good per-user authentication mechanism called xauth.  Do not use
the older "xhost", as it only does per-machine authentication.  See other
posts in this thread for details about how to set up xauth.  If you use
xauth authentication, opening ports 6000-6063 is not a security hole.

As for setup time speed, Mr. Eggert is right about using ssh to forward the
connection.  It's the easiest way to get going.  It may also be the slowest
network route, though.  Run some tests and decide what's best for your
setup.

Good luck!

-Sean

__
email@hidden
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe: http://www.lists.apple.com/mailman/listinfo/x11-users
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Firewall rule for X11 usage
      • From: John Harper <email@hidden>
References: 
 >Re: Firewall rule for X11 usage (From: Duane Williams <email@hidden>)
 >Re: Firewall rule for X11 usage (From: Daniel Eggert <email@hidden>)

  • Prev by Date: Re: Does Apple's X11 support full screen?
  • Next by Date: Re: help with icewm
  • Previous by thread: Re: Firewall rule for X11 usage
  • Next by thread: Re: Firewall rule for X11 usage
  • Index(es):
    • Date
    • Thread