Tugger the SLUGger!SLUG Mailing List Archives

[SLUG] Re: Re: remote X and firewalls


On Wed, Oct 25, 2000 at 06:52:05PM +1100, chesty wrote:
> 
> XTerminal -------- Firewall ----------- XServer
> 
> ie XTerminal displays the screens, XServer runs the apps and
> the firewall blocks all forwarding. I want to run an X proxy
> on the firewall that forwards packets between the XTerminal
> and the Xserver that lets certain users through, rather that
> certain IP addresses. I'm not sure how xauth cookies does
> that. I thought xauth would be used to restrict who could
> connect to the XTerminal, I guess its could also be used on
> the firwall to restrict who can connect to the XServer
> side of the firewall?

the terms "server" and "client" are sort of the wrong way around in
X.

the X server is where the displaying is happening. X clients connect
to this to display stuff. so the terminal in front of the user is
actually the X *server*.


xauth cookies (i'm talking about "MIT magic cookies" aka "xdm
authorization cookies" here, xauth can actually use other types, but
i've never seen them) are used to authenticate a client to the
server. its a big number that the client must present to the server to
be allowed to use the display.

now:

your firewall must forward the X connection request from the client
(remember this is the remote machine) to the X server (the desktop
box). i have never actually looked at xfwp, i presume it helps here.
at worst you could just port forward port (eg) 6010 to one machine and
6011 to another, then users can connect to <fwip>:10 and :11.

the client must then have the right cookie. a suitable method would
probably be to copy this across with an ssh script before running the
app. "xauth list <display>" and "xauth add" are useful here, remember
you'll have to change the display to whatever your firewall needs
before adding it on the client (remote) end.

-- 
 - Gus