[TCLUG] Re: [TCLUG:19205] X Problem...

[Mike Hicks]

mjn wrote:
> 
> Issuing `startx' I get the following error:
> 
> _XSERVTransSocketINETCreateListener: ...SocketCreateListener() failed
> _XSERVTransMakeAllCOTSServerListeners: server already running
> 
> Fatal Server error:
> Cannot establish any listening sockets - Make sure an X server isn't
> already running
> 
> When reporting...
> 
> _X11TransSocketUNIXConnect: Can't connect: errno = 111
> giving up
> xinit: Connection refused (errno 111): unableto connect to X server
> xinit: No such process (errno 3): Server error.
> 
[snip]
> 
> I have configured IPchains and X was working properly with IPchains
> initially but i think that, given the error messages I am getting, it is
> the most likely culprit.  Does anyone have a sample config for IPchains
> rules which works successfully with X?

well, you may have not excluded localhost from the blocking rules.  You
should try running `telnet localhost 6000' when you have an X server
running -- if it connects, the port is open, and you should look
elsewhere to fix the problem.

If the problem _is_ IPChains, you should probably look at the packet
counters to see where they are getting rejected.  The counters can be
seen by running `ipchains -L -v'

> What i thought should work was:
> 
> accept tcp from anywhere to localhost port 6000
> 
> I also tried:
> 
> accept tcp and udp from anywhere to localhost on ports 5999:6003
> 
> (do i need a rule for xfs?)

I think xfs uses Unix sockets, but I can't remember off the top of my
head..

> I guess the query is two fold:  Is IPchains giving me this error?
> 
> and
> 
> What is the ideal setup for X ports in IPchains if X is only going to be
> used from the local machine and if it is going to be availble to anyone?

I prefer to block ports that I know are open by creating a rule with a
command like

ipchains -I input -p tcp -s \! 127.0.0.1 --dport <port> -j REJECT

..instead of doing a total block of the input chain.

if you want, you can use this as a configuration file (load it with
something like `ipchains-restore < ipchains.conf'):

:input ACCEPT
:forward DENY
:output ACCEPT
-A input -s ! 127.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 25:25 -p 6 -j
REJECT -l
-A input -s ! 127.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 143:143 -p 6
-j REJECT -l
-A input -s ! 127.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 515:515 -p 6
-j REJECT -l
-A input -s ! 127.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 -p 6 -l -y
-A input -s ! 127.0.0.1/255.255.255.255 8:8 -d 0.0.0.0/0.0.0.0 -p 1 -l

(beware of line wrapping..)  It logs ICMP echo-requests, SYNs, and
blocks and logs SMTP, IMAP, and the port the printer daemon listens on.


random sidenote -- I saw today what may be a reason we write `daemon' in
Unix (but I'm probably wrong).  If you translate from German, or another
language with umlauts, it's customary to do `ae' instead of `ä'
(`&auml;' in HTML), `oe' instead of `ö', etc.  So, dämon -> daemon.

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   Error: MentalPlex(tm) has 
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   determined that this is  
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  not your final answer. 
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org