xhost question

Kevin Brown plug-discuss@lists.plug.phoenix.az.us
Sun, 03 Feb 2002 21:58:54 -0700 

If this is on an internal LAN at home then I would think that you could connect
without having to use ssh.  My systems here all accept connections, but only
from other 10.0.0.X boxes and ignore 10.0.0.1 (Gateway).  Switched Network, so
no one can listen to anyone elses connection without root access to the machines
(which only I have :) )

assuming on the firewall/masq box:
1) rejects any incoming from the Net
3) accepts connections from the internal LAN and makes sure that the return IP
is an internal network IP 10.0.0.x

Other boxes would probably just want 2 & 3, but change the eth<x> reference
2) rejects any connection attempts from the firewall (in case of compromised
system).

1) /sbin/ipchains -A input -p TCP -i eth0 --dport 6000:6010 -j REJECT
2) /sbin/ipchains -A input -p TCP -i eth1 --dport 6000:6010 -s 10.0.0.1/32 -j
REJECT
3) /sbin/ipchains -A input -p TCP -i eth1 --dport 6000:6010 -s 10.0.0.0/24 -j
ACCEPT

Not the best, but should hopefully work with little modification.

"der.hans" wrote:
> 
> Am 03. Feb, 2002 schwätzte Carl Parrish so:
> 
> > Okay I have a lan set up at my house Its all behind a ipchain firewall
> > (RH 7.2 yes I know I should be using iptables). I'm getting tired of
> > running up and down stairs to get to my different computers and want to
> > simply export my display to my main computer. Trying to advoid typing
> > xhost +<hostname> for every computer in my house yet at the same time
> > I'm concerned that if I type xhost + that it will open my display to the
> > internet. So my question is does anyone know of the ipchain rule that
> > will prevent my display from going out? Or is this something I even have
> > to worry about?
> 
> Your X server should no longer be listening for tcp connections. Use ssh.
> Look at -X option.
> 
> ciao,
> 
> der.hans
> --
> #  http://home.pages.de/~lufthans/   http://www.DevelopOnline.com/
> #  When I work, I work hard. When I play, I play hard.
> #  When I sit, I sleep. - Embe Kugler
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss