[lug] Socket Error

D. Stimits stimits at idcomm.com
Thu Aug 23 14:29:24 MDT 2001


David wrote:
> 
> > > # Firewall configuration written by lokkit
> > > # Manual customization of this file is not recommended.
> > > # Note: ifup-post will punch the current nameservers through the
> > > #       firewall; such entries will *not* be listed here.
> > > :input ACCEPT
> > > :forward ACCEPT
> > > :output ACCEPT
> > > -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> > > -A input -s 216.17.128.1 53 -d 0/0 -p udp -j ACCEPT
> > > -A input -s 216.17.128.2 53 -d 0/0 -p udp -j ACCEPT
> > > -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
> > > -A input -s 0/0 -d 0/0 -p udp -j REJECT
> >
> > Add "-l" to enable logging on the REJECT lines, then (asssuming RH 7.x)
> > restart ipchains (assuming this instead of iptables) via:
> > /etc/rc.d/init.d/ipchains restart
> 
> But isn't it the lo line that possibly is relevant here?
> 
> >
> > Test that ipchains really runs (do not use /etc/rc.d/init.d/ipchains for
> > this):
> > ipchains -L -n
> > (if rules spit out, it is running)
> >
> > Monitor /var/log/messages with "tail -f -n 30 /var/log/messages" while
> > trying your app. It'll tell you if it is the firewall doing the
> > rejection.
> 
> I tried this.  There was no messages activity at all.  That is good,
> though: it eliminates the firewall.  I never was quite comfortable
> with that explanation.
> 
> > In any other case, it probably means that your X11 ports do not have any
> > sort of daemon set to accept tcp/ip (local uses udp). The related
> > possibility is authentication failure (a recent topic).
> >
> > D. Stimits, stimits at idcomm.com
> 
> Now this is interesting.  I looked briefly at the man page for xauth
> this morning, I stopped when I saw it was for X.  But maybe that was
> bad thinking.  Can you help some more with this (I know that you are
> busy with xdvi 8-)

Someone else mentioned use of telnet to test for service. If you telnet
to the X11 port, and it is summarily dropped, without any connection at
all, versus having a connection and then being rejected after typing in
some nonsense, you will know whether it is lack of tcp/ip or if it is
authentication. The port you are interested in is 6000 (also good to
monitor with tail -f /var/log/messages, plus the X11 log itself,
/var/log/XFree86.0.log). Simply try (adjust localhost or ip address):
telnet localhost 6000

Does it allow you to connect and type nonsense, or does it drop you
without the ability to connect at all? Summarily dropping you indicates
nothing is listening for tcp/ip there. Allowing you in but dropping you
after typing nonsense indicates you are likely working with
authentication failure. Authentication is a big can of worms, but you
can try this for each host (use command line so it isn't permanent) you
might need the X display to allow connections from:
xhost +
(without any url after the '+' should open it to all)
Alternatively:
xhost +127.0.0.1
(or adjust to a real outside address...can do more than one)

D. Stimits, stimits at idcomm.com

> 
> dajo
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list