X11 not passing the FW

[Phayder]

Hi guys.
I recently bump into a problem:
X11 traffic is not passing the firewall if is not explicitly defined.
I other words, if I have a rule like this:
Source x.x.x.x Destination y.y.y.y Service any
the X11 traffic is not passing the firewall, unless is defined in a rule.
Source x.x.x.x Destination y.y.y.y Service X11.
The rule must be place above any other rule that permit service any, so no
conflict will appear.
So basicly, the X11 connection is in fact "Accepted" by the Rule Base, but is later rejected by another mechanism (called the Session Handler), which does not have any information about rule numbers.

Regards,
Phayder

[stefan73er]

hi,

open the service object x11 and go to the advanced properties. Then set the "Match for any" option and reinstall the policy.

After this change x11 is part of "any" and your rule will work as you expect.

cheers

stefan

[RayPesek]

That's normal behavior because X11 is considered a dangerous service since it can open a new back connection back into the network. That's why it is not included in "any" unless you explicitly put it there. The possible problem with doing so is that "any" anywhere in the rule base now includes X11 and it's just not that prevalent in usage.

Ray

[chillyjim]

You need to explicitly define the rule for X11, the "match on any" trick shouldn't work anymore.

[dantro]

What?

Just go to 'Policy -> Global Properties -> SmartDashboard Customization -> Configure -> FireWall-1 -> Stateful Inspection' and uncheck the 'reject_x11_in_any' checkbox. Then install your policy again.


Glad to be of service,
Danny Trommer
CCSA/CCSE/CCSE+

[Phayder]

HI Guys,
Thank you all for the solutions. They are all good, but the best for an enterprise environment I think is Dantro's.

Best regards and thank you all.

Phayder