X11 Forwarding Tutorial

Lego said:
okay, my port forwarding is set up the only way I know how to. Choose the port number (obvious), choose the type (tcp/udp/both), choose where you want it to go (local.ip.of.server).
Click to expand...

I am afraid in that case that will be the wrong direction. Actually it is the server, that initiates the connections to port 6000 of the client.
 
okay, So what do I need to do? I don't need to use it over the internet, both computers are in the same local network.
 
Lego said:
okay, So what do I need to do? I don't need to use it over the internet, both computers are in the same local network.
Click to expand...

Then why do you want/need to set up a port forwarding at all? Are both machines located within the same physical network segment, or is there a router between them?

On the windows machine, is there some sort of firewall active, that possibly prevents inbound connections for tcp port 6000 ?
 
hmm... Well you know what, I never thought of that! Windows Firewall is active... Figures... I've already disabled the forwarded ports from the router. so no more internet access on those ports. I'll unblock that port and try again.

I don't know what you mean when you say "Are both machines located within the same physical network segment, or is there a router between them?"

The Network is setup on a router, internet access comes into the router, and then everything in the home is hooked up to that router, I have a switch in 1 other location with multiple items there as well... I hope that answers your question.

layout.jpg
 
So I turned Windows Firewall right off, and tried again, still nothing... this is getting frustrating...
 
Lego said:
I don't know what you mean when you say "Are both machines located within the same physical network segment, or is there a router between them?"
Click to expand...

What I mean is, if they are connected to the same ethernet segment, i.e. connected to the same HUB/Switch, etc. But looking at your diagram, they obviously are not.

Lego said:
The Network is setup on a router, internet access comes into the router, and then everything in the home is hooked up to that router, I have a switch in 1 other location with multiple items there as well... I hope that answers your question.
Click to expand...

Indeed. So it looks like your router has something like 4 network interfaces installed. I still do not understand fully, for what purpose you wanted to set up a port forwarding on your router, for connections, that do not leave your local network. Normally, you would use some reserved network blocks, like 192.168.X.X or 10.X.X.X for your internal network, and perform normal routing among the various physical segments, that comprise your network. Then you would use NAT/port forwarding on the boundary to the internet, to connect services provided by one of your local machines to the outside world.

Anyways, I think we can narrow it down to probably being a problem with your router. With the windows firewall deactivated, there should be nothing on this side, that blocks the inbound connections on the windows machine.

What kind of firewall are you using on your router, and how is it configured? Does it indicate any denied packets, when you try to run remote X? If you are familiar with tools like tcpdump or wireshark, you could probably use these on the router to see, if the connection requests and responses get through.
 
mickey said:
Indeed. So it looks like your router has something like 4 network interfaces installed. I still do not understand fully, for what purpose you wanted to set up a port forwarding on your router, for connections, that do not leave your local network. Normally, you would use some reserved network blocks, like 192.168.X.X or 10.X.X.X for your internal network, and perform normal routing among the various physical segments, that comprise your network. Then you would use NAT/port forwarding on the boundary to the internet, to connect services provided by one of your local machines to the outside world.
Click to expand...

Exactly, all items on my network are given an address from the router, a 192.168.XX.XX address; the 5 port switch is literally just that, no options/no dhcp server. I have only the ports needed on my server forwarded to my server (eg Port 80 for my webserver). I did not realize that I did not need port 177 and 6000 forwarded if I was staying in the local network, I wasn't thinking...

mickey said:
Anyways, I think we can narrow it down to probably being a problem with your router. With the windows firewall deactivated, there should be nothing on this side, that blocks the inbound connections on the windows machine.

What kind of firewall are you using on your router, and how is it configured? Does it indicate any denied packets, when you try to run remote X? If you are familiar with tools like tcpdump or wireshark, you could probably use these on the router to see, if the connection requests and responses get through.
Click to expand...

The Router is a DIR-655 with lots of bells and whistles I don't really care for or use, 90% of the setup is all Default.
The Firewall Options I have are as follows:
Code: 
FIREWALL SETTINGS
-> SPI Enabled

NAT ENDPOINT FILTERING
-> UDP Endpoint Filtering: Address Restricted
-> TCP Endpoint Filtering: Port And Address Restricted

ANTI-SPOOF CHECKING
-> Disabled

DMZ HOST
-> Disabled

APPLICATION LEVEL GATEWAY (ALG) CONFIGURATION
-> PPTP enabled
-> IPSec (VPN) Enabled
-> RTSP Enabled
-> SIP enabled

The Nat Endpoint filtering options are:
Code: 
Endpoint Independent
Address Restricted
Port And Address Restricted

The Router does not show any denied packets it doesn't really keep good records... which bothers me but what can you do.

I have not used tcpdump or wireshark
 
Lego said:
I have only the ports needed on my server forwarded to my server (eg Port 80 for my webserver). I did not realize that I did not need port 177 and 6000 forwarded if I was staying in the local network, I wasn't thinking...
Click to expand...
Ok, and I take it by saying "forwarded" this means "forwarded from the external address to the internal one". So internally between your FreeBSD server and the Windows PC, there should be no forwarding active or necessary.

Lego said:
The Router is a DIR-655 with lots of bells and whistles
Click to expand...
I must admit, that I am rather clueless, when it comes to this thingy.

Lego said:
The Router does not show any denied packets it doesn't really keep good records... which bothers me but what can you do.

I have not used tcpdump or wireshark
Click to expand...

As a starting point, you could have a look at the traffic on your FreeBSD server, while you are trying to connect to it from the windows box.

gdm with XDMCP enabled should be listening on udp port 177, which could be verified by [cmd=""]netstat -n -a -f inet -p udp | grep 177[/cmd]. So when you connect to your server (using X -query <server>), there should be some udp packets coming in to port 177, and corresponding response packets flowing back.

The other interesting thing to know are tcp connections from your FreeBSD server to port 6000 of the client machine. Or more importantly, whether the corresponding response packets get through your router from the windows machine to your server.

You could use something like [cmd=""]tcpdump host <windows-pc>[/cmd], to show all traffic originating from or destined to <windows-pc>. The output will show the source and destination addresses/ports, and a "<" or ">" in between, denoting the traffic direction.

If you see packets flowing from your FreeBSD server to your windows-pc on port 6000, but no corresponding response packets flowing back, this could indicate, two things:
  1. The packets do not reach port 6000 on your windows machine.
  2. The response packets, sent by your windows machine, do not reach your FreeBSD sever,
 
mickey said:
Ok, and I take it by saying "forwarded" this means "forwarded from the external address to the internal one". So internally between your FreeBSD server and the Windows PC, there should be no forwarding active or necessary.
Click to expand...


What I mean is when somoene uses blurr-ink.com or my Routers External IP (my Internet IP) The IP my router is given from my ISP, The requests are passed right through the router directly to the server. I have nothing forwarded to my windows box. There is no forwarding setup between my bsd box and my windows box, locally or outside my network, if that's even possible.


mickey said:
As a starting point, you could have a look at the traffic on your FreeBSD server, while you are trying to connect to it from the windows box.

gdm with XDMCP enabled should be listening on udp port 177, which could be verified by [cmd=""]netstat -n -a -f inet -p udp | grep 177[/cmd]. So when you connect to your server (using X -query <server>), there should be some udp packets coming in to port 177, and corresponding response packets flowing back.
Click to expand...

looks like its not listening:
Code: 
blurr-ink# netstat -n -a -f inet -p udp | grep 177
blurr-ink#

mickey said:
The other interesting thing to know are tcp connections from your FreeBSD server to port 6000 of the client machine. Or more importantly, whether the corresponding response packets get through your router from the windows machine to your server.

You could use something like [cmd=""]tcpdump host <windows-pc>[/cmd], to show all traffic originating from or destined to <windows-pc>. The output will show the source and destination addresses/ports, and a "<" or ">" in between, denoting the traffic direction.
Click to expand...

Okay, I used # tcpdump host 192.168.XX.XX on the server console(terminal? not in GDM) and had no ssh connection running to eliminate those. And I used $ X -query 192.168.XX.XX in my Cygwin window.

mickey said:
If you see packets flowing from your FreeBSD server to your windows-pc on port 6000, but no corresponding response packets flowing back, this could indicate, two things:
  1. The packets do not reach port 6000 on your windows machine.
  2. The response packets, sent by your windows machine, do not reach your FreeBSD sever,
Click to expand...

Nothing obviously since its not even listening...
Code: 
blurr-ink# tcpdump host 192.168.0.196
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bfe0, link-type EN10MB (Ethernet), capture size 96 bytes
23:17:46.170563 ARP, Request who-has 192.168.0.196 (Broadcast) tell 192.168.0.1, length 46
23:18:04.655007 ARP, Request who-has 192.168.0.193 tell 192.168.0.196, length 46
23:18:04.655039 ARP, Reply 192.168.0.193 is-at 00:08:74:c4:41:9e (oui Unknown), length 28
23:18:04.655184 IP 192.168.0.196.62575 > 192.168.0.193.xdmcp: UDP, length 7
23:18:04.655274 IP 192.168.0.193 > 192.168.0.196: ICMP 192.168.0.193 udp port xdmcp unreachable, length 36
23:18:06.666313 IP 192.168.0.196.62575 > 192.168.0.193.xdmcp: UDP, length 7
23:18:06.666406 IP 192.168.0.193 > 192.168.0.196: ICMP 192.168.0.193 udp port xdmcp unreachable, length 36
23:18:10.675831 IP 192.168.0.196.62575 > 192.168.0.193.xdmcp: UDP, length 7
23:18:10.675923 IP 192.168.0.193 > 192.168.0.196: ICMP 192.168.0.193 udp port xdmcp unreachable, length 36
23:18:18.679101 IP 192.168.0.196.62575 > 192.168.0.193.xdmcp: UDP, length 7
23:18:18.679196 IP 192.168.0.193 > 192.168.0.196: ICMP 192.168.0.193 udp port xdmcp unreachable, length 36
23:18:34.685691 IP 192.168.0.196.62575 > 192.168.0.193.xdmcp: UDP, length 7
23:18:34.685783 IP 192.168.0.193 > 192.168.0.196: ICMP 192.168.0.193 udp port xdmcp unreachable, length 36
23:18:39.209898 ARP, Request who-has 192.168.0.193 (00:08:74:c4:41:9e (oui Unknown)) tell 192.168.0.196, length 46
23:18:39.209927 ARP, Reply 192.168.0.193 is-at 00:08:74:c4:41:9e (oui Unknown), length 28
23:18:46.170469 ARP, Request who-has 192.168.0.196 (Broadcast) tell 192.168.0.1, length 46
23:19:46.170538 ARP, Request who-has 192.168.0.196 (Broadcast) tell 192.168.0.1, length 46
^C
17 packets captured
1847 packets received by filter
0 packets dropped by kernel
blurr-ink#
 
Lego said:
What I mean is when somoene uses blurr-ink.com or my Routers External IP (my Internet IP) The IP my router is given from my ISP, The requests are passed right through the router directly to the server. I have nothing forwarded to my windows box. There is no forwarding setup between my bsd box and my windows box, locally or outside my network, if that's even possible.
Click to expand...

d'accord

Lego said:
looks like its not listening:
Code: 
blurr-ink# netstat -n -a -f inet -p udp | grep 177
blurr-ink#
Click to expand...

Something's wrong here. It should look more like this:
Code: 
root@gunhead pts/0 [~]: netstat -n -a -f inet -p udp | grep 177
udp4       0      0 *.177                  *.*
So we are back to gdm and it's configuration.
  • Which version of gdm is installed on this machine?
  • Was gdm running for certain, at the time you issued that netstat command?
  • What is in your /usr/local/etc/gdm/custom.conf file?
  • Did you restart gdm after making changes to /usr/local/etc/gdm/custom.conf?
Try manually stopping and then starting gdm:
[cmd=""]/usr/local/etc/rc.d/gdm stop[/cmd]
[cmd=""]/usr/local/etc/rc.d/gdm start[/cmd]
Look out for any warning/error messages, that may appear on the terminal or in /var/log/messages.
 
Sorry it took so long to respond been busy lately.

Code: 
blurr-ink# pkg_info|grep gdm
gdm-2.26.1_7        GNOME 2 version of xdm display manager

Code: 
blurr-ink# /usr/local/etc/rc.d/gdm stop
Stopping gdm.
Waiting for PIDS: 14233.
blurr-ink# /usr/local/etc/rc.d/gdm start
Starting gdm.
blurr-ink# netstat -n -a -f inet -p udp | grep 177
blurr-ink#

Code: 
# GDM configuration storage

[xdmcp]

DisplaysPerHost=2
Enable=True
HonorIndirect=true
MaxPending=4
MaxSessions=4
MaxWait=30
MaxWaitIndirect=30
PingIntervalSeconds=15
Port=177
#Willing=/usr/local/etc/gdm/Xwilling

[chooser]

[security]

DisallowTCP=false

[debug]

yes I restarted the computer before trying the first time, but just to be sure I followed the stop start to make sure... still no luck the only thing i see happening is when is stop then start gdm through putty, it starts gdm on the server monitor. I just restarted the computer once more. and tried again

Code: 
blurr-ink# netstat -n -a -f inet -p udp | grep 177
blurr-ink# /usr/local/etc/rc.d/gdm start
Starting gdm.
blurr-ink#
** (gdm-binary:1563): WARNING **: Failed to acquire org.gnome.DisplayManager

** (gdm-binary:1563): WARNING **: Could not acquire name; bailing out

blurr-ink#
blurr-ink# netstat -n -a -f inet -p udp | grep 177
blurr-ink#

I get that error in the putty window, but gdm starts on the server monitor.... seems gdm refuses to listen for some reason....
 
/var/log/messages
Code: 
Dec  9 23:32:11 blurr-ink kernel: drm0: <Intel i845G GMCH> on vgapci0
Dec  9 23:32:11 blurr-ink kernel: vgapci0: child drm0 requested pci_enable_busmaster
Dec  9 23:32:11 blurr-ink kernel: info: [drm] AGP at 0xe0000000 128MB
Dec  9 23:32:11 blurr-ink kernel: info: [drm] Initialized i915 1.6.0 20080730
Dec  9 23:32:11 blurr-ink kernel: drm0: [ITHREAD]
Dec  9 23:32:14 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1379/mem
Dec  9 23:32:32 blurr-ink gnome-session[1498]: WARNING: Application 'metacity.desktop' failed to register before timeout
Dec  9 23:32:32 blurr-ink gdm-simple-greeter[1521]: WARNING: Failed to load '/share/xml/iso-codes/iso_639.xml': Failed to open file '/share/xml/iso-codes/iso_639.xml': No such file or directory
Dec  9 23:32:32 blurr-ink gdm-simple-greeter[1521]: WARNING: Failed to load '/share/xml/iso-codes/iso_3166.xml': Failed to open file '/share/xml/iso-codes/iso_3166.xml': No such file or directory
Dec  9 23:32:35 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1522/mem
Dec  9 23:32:36 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1521/mem
Dec  9 23:32:36 blurr-ink gdm-simple-greeter[1521]: WARNING: Unable to find users: no seat-id found
Dec  9 23:32:37 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1527/mem
Dec  9 23:32:37 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1527/mem
Dec  9 23:37:05 blurr-ink kernel: bfe0: promiscuous mode enabled
Dec  9 23:37:16 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1498/mem
Dec  9 23:37:16 blurr-ink gnome-session[1498]: WARNING: Unable to determine session: Unable to lookup session information for process '1498'
Dec  9 23:37:30 blurr-ink kernel: bfe0: promiscuous mode disabled
Dec  9 23:40:35 blurr-ink console-kit-daemon[1379]: WARNING: kvm_getenvv failed: cannot open /proc/1498/mem
Dec  9 23:40:35 blurr-ink gnome-session[1498]: WARNING: Unable to determine session: Unable to lookup session information for process '1498'
 
I am using gdm 2.28.x, but there are no differences in the XDMCP configuration between those versions. But feel free to upgrade your Gnome to 2.28.

It seems there are some problems with your gdm. Please check for the following:
  • Make sure you have procfs mounted on /proc. Gnome needs this to function properly. If it's missing, add the following line to your /etc/fstab:
    Code: 
    proc                    /proc           procfs  rw              0       0
  • Check that you have the following settings in your /etc/rc.conf:
    Code: 
    avahi_daemon_enable="YES"
avahi_dnsconfd_enable="YES"
hald_enable="YES"
dbus_enable="YES"
gdm_enable="YES"
    or alternatively, the following sets all of the above:
    Code: 
    gnome_enable="YES"
    Additionally you might need these, too:
    Code: 
    polkitd_enable="YES"
system_tools_backends_enable="YES"
 
You must log in or register to reply here.
Back
Top