Xmanager FAQ

Network and Firewall Show all answers Hide all answers

How can I configure firewall settings in Windows?

Windows may block all incoming TCP/IP connections. So, Xmanager cannot be used without allowing its listening port.
 
Please do the following steps to enable Xmanager connection:
  1. Open Control Panel, and then Windows Firewall.
  2. From the General tab, select On (recommended) option.
  3. Click the Exception tab.
  4. Click the Add Program button.
  5. From the Programs list, select Xmanager.
  6. Click OK.

If you are using Windows XP SP1 or previous releases, follow the instruction below:
  1. Open Control Panel, Network and Internet Connection, and then Network Connections.
  2. Right-click on your Internet connection, and then click Properties.
  3. Click Settings.
    RESULT: Advanced Settings dialog box will open.
  4. Allow TCP 6000 ~ 6010 
  5. If you are using Gnome, allow TCP 16001. 


I'm in the local network inside a NAT system. How can I connect to the remote host?

To run a remote X program, your IP address should be a public one that can be reached from the remote host because a remote program tries to connect to your local PC.

If your PC is located inside the firewall or NAT and the Unix host is located outside, X applications cannot connect to the Xmanager running on your PC.

There are two solutions on this situation:

SSH connection

In case of using SSH connection, you do not have to configure other options. It establishes a secure tunnel between PC and Unix, so we recommend that you use SSH protocol if the Unix server supports it.

Secure XDMCP is a new feature that will change how people access their remote hosts. Learn how to obtain CDE or GNOME/KDE environment under the NAT environment using Secure XDMCP.


To start an X application through SSH protocol, please go through the following steps:
  1. Run Xstart in the Xmanager folder.
  2. Select SSH for Protocol.
  3. Enter username, password, hostname, etc.
  4. Fill the Execution Commnad box as following:
    /usr/bin/X11/xterm -ls
    *Note that -display option is absent. SSH server will assign a proper value.
  5. Click Save and Run button.
  6. The Xstart will automatically run Xmanager and then execute the remote command.
  7. In the command prompt of xterm window, execute startkde for KDE, gnome-session for Gnome or Xsession for CDE.
    * Please refer to the following link to find out more commands for starting each UNIX/Linux desktop environment:

Port forwarding rules on the NAT System

To use port forwarding, you should forward the port 6000 of NAT system to the port 6000 of your PC. In case of multiple local users, you can do the following steps:
(NAT, 6001) -> (PC1, 6000)
(NAT, 6002) -> (PC2, 6000)
. . .
(NAT, 6009) -> (PC9, 6000)
To make XDMCP connection, you need to setup proxy options in the session properties. (*The following instruction is for the PC1.)
  1. Create a new XDMCP session in Xbrowser.
  2. Open the session properties and select 'Use following connection address' in the Proxy area of the General tab.
  3. In the Host text box, type the IP addreass of the NAT server.
  4. In the Port Number text box, type the port number you have assigned in the NAT system for your PC. (6001 for the PC1)
  5. Clear 'Allocate display number automatically' in the Display Number area of the X Server tab.
  6. Type the remaining number when subtracting 6000 from the port number in the step 4 above. (1 for the PC1)
For connections using Xstart, each user has to enter "-display" option as following:
PC1: /usr/bin/X11/xterm -ls -display $NATsystem:1
PC2: /usr/bin/X11/xterm -ls -display $NATsystem:2
. . .
PC9: /usr/bin/X11/xterm -ls -display $NATsystem:9

If I'm inside a firewall using IP Masquerading, how can I connect to external Linux/Unix hosts? (ex. kernel 2.2)

Run the following command as a root on your firewall server.

# ipmasqadm portfw -a -P tcp -L FIREWALL_ADDRESS 6001 -R PC_ADDRESS 6000

Run Xstart program and enter the following command at Command field.
/usr/bin/X11/xterm -ls -display FIREWALL_ADDRESS:1.0

Be sure that, firewall_address and PC_address have been changed to the corresponding IP addresses on your own network. If you do not have ipmasqadm tool, please download from the following site:
http://www.e-infomax.com/ipmasq/juanjox/

I have a firewall running on my Linux host. How should I configure it to use Xmanager?

Nowadays most Linux distributions run a firewall by default and it results in blocking of the TCP/UDP ports required to be used for Xmanager. Because the firewall programs used in Linux are various through out all distributions and versions, you might need to refer to user manuals or technical support service for your the Linux distribution you use. The following instruction is for ipchains and iptables, which are the most common firewall tools for Linux.
  • ipchains Configurations
    Open /etc/sysconfig/ipchains file and add the following lines.
    (*The lines in gray color are comments for the firewall rules and not necessary to be added into the file.)
    # If you want to use GNOME/KDE, add the following line.
    -A input -p udp -s 0/0 -d 0/0 177 -j ACCEPT
    # If you have set font server on Xconfig, add the following line.
    -A input -p tcp -s 0/0 -d 0/0 7100 -j ACCEPT
    # If you are to connect via xstart, add the following line(s).
    -A input -p tcp -s 0/0 -d 0/0 telnet -j ACCEPT
    -A input -p tcp -s 0/0 -d 0/0 ssh -j ACCEPT
    -A input -p tcp -s 0/0 -d 0/0 login -j ACCEPT
    -A input -p tcp -s 0/0 -d 0/0 exec -j ACCEPT
    -A input -p tcp -s 0/0 -d 0/0 shell -j ACCEPT
    To apply the new rules, restart ipchains by the following command.
    #/etc/init.d/ipchains restart
    To check if all added rules are running in the system, use the following command
    #ipchains -L
  • iptables Configuration
    Open /etc/sysconfig/iptables file and add the following lines.

    (*The lines in gray color are comments for the firewall rules and not necessary to be added into the file.)
    # If you want to use GNOME/KDE, add the following line.
    -A INPUT -p udp --dport 177 -j ACCEPT
    # If you have set font server on Xconfig, add the following line.
    -A INPUT -p tcp --dport 7100 -j ACCEPT
    # If you are to connect via xstart, add the following line(s).
    -A INPUT -p tcp --dport telnet -j ACCEPT
    -A INPUT -p tcp --dport ssh -j ACCEPT
    -A INPUT -p tcp --dport login -j ACCEPT
    -A INPUT -p tcp --dport exec -j ACCEPT
    -A INPUT -p tcp --dport shell -j ACCEPT
    To apply the new rules, restart iptables by the following command.
    #/etc/init.d/iptables restart
    To check if all added rules are running in the system, use the following command.
    #iptables -L
  • lokkit Configuration for RedHat 8, 9
    In RedHat 8 or 9, you can configure the firewall using lokkit program.
    When you run lokkit, /etc/sysconfig/iptables ile is created.
    Add the following lines in the beginning of the file.
    -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 177 -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 512 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 513 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 514 --syn -j ACCEPT
    To apply the new rules, restart iptables by the following command.
    # /etc/init.d/iptables restart
  • To use Xmanager, which ports should I allow on my firewall?

    You should open the following TCP/UDP ports.
    • From remote host to local PC (Inbound):
      - TCP 6000 ~ 6010 for Xmanager
      - *TCP 16001 for Gnome only
    • From local PC to remote host (Outbound):
      - UDP 177 for XDMCP
      - TCP 512, 513, 514, 23, 22 for Xstart
    *Note: Gnome may fail to login or logout if TCP 16001 port is not allowed.

    My session gets disconnected after left idle for awhile.

    If Xmanager session is left idle, the connection may get disconnected. In the router or firewall between your PC and UNIX/Linux server, you may have the 'Connection Timeout' option enabled. This option disconnects network connections if no data is transferred for a specified time period. Please make sure to set this option to your desired time length.