On Sun, 10 Oct 2004 18:31:27 -0500, Shawn K. Quinn <[EMAIL PROTECTED]> wrote: > On Sunday 10 October 2004 14:19, you wrote: > > best firewall: openbsd without a gui > > > > second best firewall: openbsd with a gui > > Would it help to firewall out connections from the world interface on > the standard X Window System ports (6000-6009 or so)? I would think > that would satisfy any security issues that would be caused by running > X on the firewall.
That'd be the absolute minimum; better still would be to bind all of the GUI protocol listeners to loopback (and 'pf' to filter loopback traffic by source UID). Even in the most paranoid X installation, there is still increased risk of compromise -- X11 is complex and has historically been a source of exploitable bugs, including in the xserver, font server, and in the protocol itself. Running a local display locally on the firewall host itself with mouse and keyboard also will have a negative impact on performance and stability. The real question is what technical advantage is provided by a full GUI running on the firewall itself, rather than having a separate "inside" (trusted) management host with a GUI and a mechanism to push changes up to the firewall from the management host? Have you considered instead loading web management (e.g. webmin) on the firewall, accessed via SSL? You could then lock down remote access to the https service., for example, using a combination of authpf and SSL client certificates. Kevin
