Re: [Bastille-linux-discuss] Re: bastille-linux-discuss digest, Vol 1 #1071 - 2 msgs
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Jonathan L. <kj...@ya...> - 2004-09-27 05:01:19
|
I've confirmed using nmap that 6000-6019 is closed. I then config'd my fw to allow 6000-6019. I then stopped and restarted my fw, but nmap still said they were closed. I then rebooted my machine and they are still closed. My fw config still says that they are indeed open. Though nmap says otherwise. There is no bastille-firewall in my /etc/init.d directory. Is there anything bastille does to close these ports? Once again I'm using Fedora core 2 and this is bastille version 2.1.2. --- Paul Allen <al...@nw...> wrote: > Jonathan Loh wrote: > > --- bas...@li... wrote: > > > >>I wrote: > >> > >>>My ssh is no longer able to forward my X11 requests. I look at my > >> > >>sshd_config > >> > >>>and it still does have X11 forwarding on. This is not too critical a box > so > >>>I'm not too woried about it, but still it is a minor annoyance. > >>> > >>Well, the first thing to figure out is whether it's a client-side or > >>server side-issue. Try running ssh with the -X option, like so: > >> > >> ssh -X account@server "xclock" > >> > >> Let me know what happens? > > > > > > [jloh@alphascorp jloh]$ xterm & > > [1] 2486 > > [jloh@alphascorp jloh]$ xterm Xt error: Can't open display: > > > > [1]+ Exit 1 xterm > > Your local X setup is munged or you asked Bastille to block port > 6000. Try turning off the bastille firewall and see if things > improve. On the ancient version I'm running on my router, you'd > say "/sbin/service bastille-firewall stop". Not sure if that > still works on the current version. In any event, the script > will be in /etc/rc.d/init.d with a name something like "bastille- > firewall" and you want to run it with the argument "stop". > If that clears up your X problem, then you need to adjust your > firewall settings so X traffic won't be blocked. X uses ports > starting with 6000, while ssh uses ports starting with 6010 > to forward connections. I'd open ports 6000-6019. > > > [jloh@alphascorp jloh]$ ssh -X jloh@localhost "xclock" > > jloh@localhost's password: > > bash: line 1: xclock: command not found > > [jloh@alphascorp jloh]$ > > Um, when you run a remote command via ssh, you get the $PATH > the remote sshd decides to give you, not the one you've got > setup in your dot-files. "Command not found" means you need > to specify the full path to the xclock command on the remote > system. > > > I'm on a laptop before running bastille I had no problems opening an xterm > on > > my laptop. I even tried setting my display environment variable manually, > > which I shouldn't have to, but still it complains. I tried the same > command > > substituting the localhost with my server name from my laptop with the same > results. > > So far, everything you say is consistent with port 6000 > being blocked. If your firewall config isn't blocking > the X range from 6000-6019, then post back to the list with > that detail and the experts will take it the next step. > > Paul Allen > > > > > __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail |