Date: Sat, 31 Jul 1999 22:56:06 +0000 From: "Karsten M. Self" Organization: Self Analysis To: William Black CC: svlug@svlug.org Subject: Re: [svlug] X Client IP Ports William Black wrote: > And now for something complete different (from the Red Hat argument)... > > I'm trying to set up an opening in a firewall to let X servers receive > remote X clients across it. The question is: What port(s) do I open > up, and are we talking TCP or UDP? > > I know, I should've RTFMed, but I can't find a good Ms on this stuff. > Any recommendations? I'm especially interested in xhost/xauth, etc. Agreement with prior posts on this topic: xhost|xauth don't provide the levels of security required for X-over-the-Net. ssh does, VPN (Virtual Public Network) and the latest PGP may also provide secured, encrypted tunneling IP (protocol-w/in-protocol) to provide security. If you are running over any sort of WAN, particularly if dialup lines are involved, you should also look into LBX (low bandwidth X). This is a set of protocols which applies a protocol-specific compression to X sessions, using a proxied X server as in ssh. LBX can be used with secured protocols, so you can run both LBX and ssh to establish a remote X session. Note that ssh provides both _compression_ and _encryption_ by default (in that order, for a number of reasons), but that the generic compression utilized by ssh is less effective than the X Windows protocol specific methods employed by LBX. LBX involves a client (warning: X C:S reversal -- that's the _remote_ side) side proxy server which provides compression, and a server which supports the LBX protocol. This is generally called 'lbxproxy', and versions exist for both Linux and proprietary Unixes. Proprietary versions are available, free, for download from http://www.x.org/ (hunt for it, or email me a beer and I'll do it for you, regular hourly charges apply). Most modern commercial X servers do (Hummingbird Exceed NT 6.x does). I haven't tried this yet under Linux but I suspect XFree86 does. Details on ssh and LBX are available in a number of places. The "Remote X Apps mini-HOWTO" is a good place to start. If it's possible, I'd recommend _not_ running X clients over WAN network connections. While ssh addresses security needs, and LBX provides some performance improvements, network latency is inherently high. Compression and encryption overhead (on both the remote and local hosts) can be high, particularly for a smaller box. Use of CLI or network-aware applications with a seperable, local GUI front-end, may be a better solution. -- Karsten M. Self (kmself@ix.netcom.com) What part of "Gestalt" don't you understand? SAS for Linux: http://www.netcom.com/~kmself/SAS/SAS4Linux.html Mailing list: "subscribe sas-linux" to mailto:majordomo@cranfield.ac.uk 3:31pm up 67 days, 16:37, 1 user, load average: 0.17, 0.19, 0.10