Firewall Wizards mailing list archives
Re: Do you permit X11 via proxy firewall?
From: dlang () diginsite com
Date: Mon, 10 Sep 2007 09:31:00 -0700 (PDT)
On Fri, 7 Sep 2007, ArkanoiD wrote:
On Wed, Sep 05, 2007 at 04:48:46PM -0700, dlang () diginsite com wrote:On Thu, 6 Sep 2007, ArkanoiD wrote:That's most practical, almost everyone is doing that. So we can declare x11 gateways officially dead, i guess. On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:And, if yes, how do you implement it?No, that's what 'ssh -X' is for.why is tunneling X through firewalls noticably safer then just doing packet filtering to allow it through?Because it ensures proper endpoint authentication, encryption and ensures (well, to some extent) that no malicious connections will be made through the tunnel. At least does it better as packet filtering rules are static. The same rationale applies for x11 gateways: most of them present a kind of confirmation dialog for every new client connection.
I agree with the value of the authorization/authentication. encryption can be valuble in some environments, in others it just eats up CPU cycles.
if the only answer is becouse it prevents someone from intercepting and tinkering with the TCP datastream then it's only relavent in some situations and you are saying that in others it's perfectly safe to just do packet filtering. remember, just becouse everyone is doing it, it may not be safe.It is not, as nothing is safe, but sometimes it is acceptable risk ;-)
I agree, however I see a mindset creeping in that if you just encrypt it then it must be safe, and so I question statements like 'X is unsafe, but if you tunnel it through SSH then it's safe' by the way, for those who are new to X, it allows programs to communicate with each other, even from different machines if they share a display. for a trivial example of this take two linux boxes, configure them to both use the same display (through whatever mechanism, including through SSH). then try to startup firefox on both machines (ideally, pass it a URL to start with) what you will find is that when you try to start it up on the second machine it detects that you already have it running on the first machine and instruct that copy of firefox to open a window to the URL you told the second machine to display. David Lang
remember almost everyone thinks that firewalls are just packet filters and have no business actually looking at the packets that they let through.Not us ;-) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Do you permit X11 via proxy firewall? ArkanoiD (Sep 05)
- Re: Do you permit X11 via proxy firewall? Skough Axel U/IT-S (Sep 05)
- Re: Do you permit X11 via proxy firewall? Behm, Jeffrey L. (Sep 05)
- Re: Do you permit X11 via proxy firewall? K K (Sep 05)
- Re: Do you permit X11 via proxy firewall? Paul Melson (Sep 05)
- Re: Do you permit X11 via proxy firewall? ArkanoiD (Sep 05)
- Re: Do you permit X11 via proxy firewall? dlang (Sep 06)
- Re: Do you permit X11 via proxy firewall? ArkanoiD (Sep 08)
- Re: Do you permit X11 via proxy firewall? jason (Sep 08)
- Re: Do you permit X11 via proxy firewall? ArkanoiD (Sep 05)
- Re: Do you permit X11 via proxy firewall? Jim Seymour (Sep 06)
- <Possible follow-ups>
- Re: Do you permit X11 via proxy firewall? dlang (Sep 10)