In your /usr/X11R6/bin/startx file, add -nolisten tcp to the server args section. Add the option between the two quotes " ". This will shut off port 6000. serverargs="-nolisten tcp"
Doing this is what I consider to be a Good Thing.

Nice. Should be in How I Did It though, so I'll move it there but keep a locked copy here so everyone who visits this forum can see it.

Thanks for moving it, X. I didn't know for sure if the topic belonged here or the other forum since it dealt with X11. :)

...actually...doesn't work. I scan my system, and it's still open. I thought, however, that this port needed to be open if you were going to run X11...


Dark Ninja

I've been looking around, and here's something that seems to be of some value.
Turning Off 6000 (http://www.linuxplanet.com/linuxplanet/tips/1124/1/)

[ 05 November 2001: Message edited by: Dark Ninja ]

Originally posted by Dark Ninja:
<STRONG>...actually...doesn't work. I scan my system, and it's still open. I thought, however, that this port needed to be open if you were going to run X11...


Dark Ninja

I've been looking around, and here's something that seems to be of some value.
Turning Off 6000 (http://www.linuxplanet.com/linuxplanet/tips/1124/1/)

[ 05 November 2001: Message edited by: Dark Ninja ]</STRONG>
Its for hosting X11 programs from a remote machine. The other options described from the link you provided should also work. I got mine by reading the manual and also came across the topic while visiting BSD vault. I've edited my /usr/X11R6/bin/startx script, shut down and restarted X, did a port scan and netstat -na and viola, no port 6000 listening on my system. X runs just fine with the -nolisten tcp option.

Anybody have a way for it to only listen to a certain range of IPs? I want to be able to open a display from the lab machines, but not let anybody else open one. In other words, I'd like to open the port to the range 141.219.84.0 to 141.219.87.255 (the campus machines).

Is there a way to do this short of a kernel firewall?

xhost maybe?

[ 06 November 2001: Message edited by: bwkaz ]

Well, I did exactly what you suggested (add "-nolisten tcp", however, when I scanned my system using NMap, it reported back that port 6000 was open.


Dark Ninja

Originally posted by Dark Ninja:
<STRONG>Well, I did exactly what you suggested (add "-nolisten tcp", however, when I scanned my system using NMap, it reported back that port 6000 was open.


Dark Ninja</STRONG>
I forgot to ask, which version of X are you running. I'm using the v4.x.x series (4.1). Whether this makes a difference I don't really know but here's some stuff in my ps and nmap respectively. Parts not pertaining to topic deliberately cut. Output of ps ax:
357 tty1 S 0:00 /bin/sh /usr/X11R6/bin/startx
365 tty1 S 0:00 xinit /home/ronster/.xinitrc -- -nolisten tcp
366 ? S 2:57 X :0 -nolisten tcp
369 tty1 S 0:06 enlightenment
371 ? S 0:00 esd -terminate -nobeeps -as 2 -spawnpid 369
this is done by editing the startx script. Now with nmap:
root@psychadelie:/home/ronster# nmap -v -p 1-65535 127.0.0.1

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ (http://www.insecure.org/nmap/) )
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host localhost (127.0.0.1) appears to be up ... good.
Initiating TCP connect() scan against localhost (127.0.0.1)
The TCP connect scan took 3 seconds to scan 65535 ports.
All 65535 scanned ports on localhost (127.0.0.1) are: closed
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

Netstat -na also shows nothing of port 6000 listening. Also, what distribution of Linux are you running? Some distributions of Linux may alter the behaviour of X to a certain degree. I'm using a vanilla version of X binaries from xfree86.org.
I'm really surprised that adding that option -nolisten tcp is still alowing your port 6000 to stay open. This is not normal.

Originally posted by Dark Ninja:
<STRONG>Well, I did exactly what you suggested (add "-nolisten tcp", however, when I scanned my system using NMap, it reported back that port 6000 was open.


Dark Ninja</STRONG>

Well, do you start your X with startx?
Otherwise you'll have to edit /etc/X11/xinit/xserverrc, and add it there.