Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to permit XWindows connections with the XDMCP to pass through a PIX Firewall

Resolution

The X Display Manager Control Protocol (XDMCP) is on by default, but does not complete the session unless the established command is issued, as shown:

Hostname(config)# established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535

Hostname(config)# established udp 0 177 permitto udp 0 permitfrom udp 177

Hostname(config)# established tcp 0 6000 permitto tcp 6000 permitfrom tcp 0

This enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. User Datagram Protocol (UDP)/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted.

Because the source port(s) of the return traffic is unknown, the src_port field must be specified as 0 (wildcard). The destination port, dest_port, is typically 6000, the well-known XServer port. The dest_port must be 6000 + n, where n represents the local display number. Issue the setenv DISPLAY hostname:displaynumber.screennumber UNIX command to change this value.

The established command is necessary because many TCP connections are generated based on user interaction, and the source port for these connections is unknown. Only the destination port is static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP sessions. Using applications like this through the PIX can open up security holes.

For more information, refer to the X Display Manager Control Protocol section of Configuring Application Inspection (Fixup).

For details about the established command, refer to Cisco Secure PIX Firewall Command References.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:36 PM
Updated by:
 
Labels (1)