Hi ! > You can get similar effects via the above mentioned -nolisten/ssh combo, mhhh - generally (especially on unix) this should work - BUT: e.g. i often use cygwin xfree86 and putty on a windoze box. how can i tell putty to use the socket, cygwin xfree86 creates ? i think putty isn`t "unix domain socket aware" - isn`t it ? should i really blame putty now? ;) BTW: this issue came to my mind because while evaluating NX from nomachine on my home-pc, my kerio firewall popped up and told me: hey, someone trying to connect to port 6000 from the internet (no - not the NX server - just an IP originating from rr.com). since i used "secure" options inside NX-Client i wondered: why is Xwin.exe (the cygwin port of xfree86, which comes with nx-client) bound to 0.0.0.0:6000 at all? all other processes of nx are bound to localhost only - and since NX does some sort of "tunneling", binding of xwin.exe to localhost would be sufficient. so i searched for an option, but didn`t find. ok - i didn`t discuss this with the nomachine people yet - maybe -nolisten tcp is an option there, because their "customized" ssh-client is cygwin based, too. > or with a firewall, so it's not been high enough priority for anyone to mhh - from the point of view of an security aware sysadmin: a port,which isn`t listening and reachable from the internet doesn`t need to be protected by a firewall. every (unnecessary) listening port to the outside world is one port too much - regardless if you have a firewall or not. > write the code to do that. (I did actually put code like this in xdm for > controlling which interfaces to listen on for XDMCP connections > when I was doing the IPv6 work, but that only deals with XDMCP protocol > connections, not the X protocol itself.) thats fine regarding xdm - but i really would love to see it in Xserver too ;) > Also, most of the apps that support this are designed to run on machines > that connect to both internal and external networks, and those machines > often don't run X. mhh - i think being able to specify the interface is just a matter of "good design of network server apps" in general, IMHO. I have had several multi-interface issues with all sorts of server-apps where i just banged my head against the wall, because of the programmer of that app didn`t keep in mind, that his app could be used in multi-interface scenarios or being used by security aware persons. (maybe it`s mostly just by the fact, that a programmer has a very different "philosophy" regarding this or because he just isn`t aware, that there are "multi homed hosts" or security aware persons in the real world). this fact really gave me headache several times in my admin life and led me to my personal conclusion: network server application? yes - but PLEASE let me configure the interfaces bindings ! :) regards roland ------------------------------------------------------------------------------------- devzero@xxxxxx wrote: >>You can use the '-nolisten tcp' option suppress listening on tcp >>completely in your case. > > ok - thanks - but how should anything connect then to a listening socket, if it isn`t able to talk > to the xserver via bsd socket or whatever other method(i don`t know)? -nolisten tcp only disables tcp sockets - you can still connect to :0 using the Unix domain socket, and then let ssh forwarding take care of all remote connections. > i`m system administrator and most "well designed" server-apps support a configure option to bind to specific interfaces. apache, mysql, samba - i can let them all run on specific interface:port ..... so should X, IMHO > if this feature isn`t already "inside" X - hasn`t this been a feature request already? > i think, it`s an essential feature! You can get similar effects via the above mentioned -nolisten/ssh combo, or with a firewall, so it's not been high enough priority for anyone to write the code to do that. (I did actually put code like this in xdm for controlling which interfaces to listen on for XDMCP connections when I was doing the IPv6 work, but that only deals with XDMCP protocol connections, not the X protocol itself.) Also, most of the apps that support this are designed to run on machines that connect to both internal and external networks, and those machines often don't run X. -- -Alan Coopersmith- alan.coopersmith@xxxxxxx Sun Microsystems, Inc. - Sun Software Group User Experience Engineering: G11N: X Window System ______________________________________________________________________________ Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2 Kostenlos downloaden: http://screensaver.web.de/?mc=021110 _______________________________________________ XFree86 mailing list XFree86@xxxxxxxxxxx http://XFree86.Org/mailman/listinfo/xfree86