Guest Nickwe Posted December 5, 2002 Report Share Posted December 5, 2002 First, sorry for my English, I'll try to be as clear as possible. Can answer in French if you want ;-) When shorewall is configured on the server with all the boxes check to allow FTP, SMTP, POP, TELNET, SSH,... + the ports 10000, 7100, 177, 15 it can share his internet connection with the clients on the LAN but the clients computers can't get a remote display of the server (X -broadcast in the console as seen in the xdmcp tutorial here: http://www.mandrakeforum.com/article.php?s...id=2237&lang=en) . They get a black screen with an X on the middle of the screen as the mouse pointer. But if I configured shorewall to open all the ports on the server (which mean no firewall), the clients computers can get a remote display of the server (kdm login screen) but the server can't share his internet connection with the clients computers :-( So I'm asking you which ports I should open on the MDK control center (shorewall) to have the internet connections sharing and the remote display working at the same time? Or if you have any ideas or any directions where to look at, they are welcome ;-) Thanks for your support, your doing a great job :-) Quote Link to comment Share on other sites More sharing options...
theYinYeti Posted December 5, 2002 Report Share Posted December 5, 2002 So basically, it comes down to knowing: what port is X using for XDMCP? If someone has the answer, I'm also interested. That being said, I use bastille-firewall because it is shipped with Mandrake8.1, which I use. In this firewall's config file, I can tell that ppp0 (internet) is untrusted, and eth0 (lan) is trusted. That way, firewall rules only apply to ppp0, so XDMCP works, and the lan is protected from internet by the firewall. I guess you can do something similar with your firewall. Yves. Quote Link to comment Share on other sites More sharing options...
theYinYeti Posted December 5, 2002 Report Share Posted December 5, 2002 Here's the answer, direct from the net: port 177 http://www.iss.net/security_center/advice/...Exploits/Ports/ Quote Link to comment Share on other sites More sharing options...
Guest Nickwe Posted December 5, 2002 Report Share Posted December 5, 2002 As seen on /etc/services on my MDK 9.0, the xdmcp port is 177 and the xfs port is 7100. I have open both of them, and it still doesn't want to work :-( My rules file (/etc/shorewall/rules) looks like this: ACCEPT net fw udp 53,177,81 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,23,177,7100,81,15,10000 - ACCEPT masq fw udp 53,177,81 - ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,23,177,7100,81,15,10000 - ACCEPT loc fw udp 53,177,81 - ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,23,177,7100,81,15,10000 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - So if you have any idea how I could tune this file, it would be great ;-) Thanks a lot. PS: Another way to solve the problem would make the internet sharing connection works without the firewall, since the remote display mannager works without the firewall. .. Quote Link to comment Share on other sites More sharing options...
qeldroma Posted December 7, 2002 Report Share Posted December 7, 2002 I got the same problem and didn't solve it (needs time i don't have). Perhaps the hint: X opens highports per client above 32000. If you do a netstat with shorewall off and clients logged in, you will see that. Perhaps this highports aren't availabe... I tried shorewall, firestarter, guarddog. All of them block the clients out, although 177/7100 are opened... Following my netstat, while a client is connected: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 server.kanzleirgbp.:xfs arbeitsplatz2.kan:32771 VERBUNDEN tcp 0 0 server.kanzleirgb:32782 arbeitsplatz2.kanzl:x11 VERBUNDEN tcp 0 0 server.kanzleirgb:32770 arbeitsplatz2.kanzl:x11 VERBUNDEN tcp 0 0 server.kanzleirgb:32784 arbeitsplatz2.kanzl:x11 VERBUNDEN tcp 0 0 server.kanzleirgb:33439 arbeitsplatz2.kanzl:x11 VERBUNDEN Aktive Sockets in der UNIX Domäne (ohne Server) Proto RefZäh Flaggen Typ Zustand I-Node Pfad unix 13 [ ] DGRAM 2846 /dev/log unix 2 [ ] DGRAM 363069 unix 2 [ ] DGRAM 363051 unix 2 [ ] DGRAM 3695 unix 2 [ ] DGRAM 3264 unix 3 [ ] STREAM VERBUNDEN 3228 /tmp/.X11-unix/X0 unix 3 [ ] STREAM VERBUNDEN 3227 unix 2 [ ] DGRAM 3221 unix 2 [ ] DGRAM 3099 unix 3 [ ] STREAM VERBUNDEN 3074 /tmp/.font-unix/fs7100 unix 3 [ ] STREAM VERBUNDEN 3072 unix 2 [ ] DGRAM 3059 unix 3 [ ] STREAM VERBUNDEN 3076 /tmp/.X11-unix/X0 unix 3 [ ] STREAM VERBUNDEN 3044 unix 2 [ ] DGRAM 2980 unix 2 [ ] DGRAM 2918 unix 2 [ ] DGRAM 2870 unix 2 [ ] DGRAM 2857 PLEASE DON'T forget to post it, if you solved this, i am searching for this since months, but my firewalling (espacially iptables) knowledge is too bad, for this :-( Quote Link to comment Share on other sites More sharing options...
theYinYeti Posted December 9, 2002 Report Share Posted December 9, 2002 What's wrong with my solution :? :?: I posted it several times, and it's just like I'm talking to the wind... Bastille-firewall allows you to apply different rules, based on the interface: there are trusted interfaces, semi-trusted interfaces, and untrusted interfaces. So ? Yves. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.