Richard wrote:
>> Try disabling xdmcp with >> >> startx -- -nolisten tcp >> >> -- Bruce >> > > I tried this but it didn't make any difference. > Is it likely that xdmcp is enabled on my system? I > read that it is usually disabled by default because > it is not secure, and I have not done anything to > intentionally enable it. Is there a way I can tell > if it is enabled on my system? $ netstat -an --inet tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN Port 6000 (or 60xx) is xorg. Unless the default has been changed in the last six months or so, it is active. netstat is from net-tools > Anyway I have become resigned to allowing traffic > on the loopback interface through my firewall. > However, I am concerned about the way this is > done in the /etc/rc.d/rc.iptables file suggested > in the BLFS book. If I include the following rule: > > # Allow local-only connections > iptables -A INPUT -i lo -j ACCEPT > > then I get for INPUT: > > ----------------------------------------------------- > iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > LOG all -- anywhere anywhere LOG level > warning prefix "FIREWALL:INPUT " > ---------------------------------------------------- > > Doesn't this mean that packets from *anywhere* will be accepted?? No. Use 'iptables -n -v -L' The above does not list the interface. > > On the other hand, if I use: > > # Allow local-only connections > iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT > > then I get for INPUT: > > iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- localhost localhost > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > LOG all -- anywhere anywhere LOG level > warning prefix "FIREWALL:INPUT " > > Isn't this what I want? > > By allowing communication on 127.0.0.1 I no longer get the > above messages on startx. You can do that, but internally all IP addresses of the form 127.x.y.z are equivalent. These addresses are never routed outside the local system unless it is specifically created by a tool. Even then, systems will ignore it because it would be on the wrong interface. anywhere above is a misnomer. It really means any ip address. The interface is a separate test. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
