# Unable to disable X listening for tcp connections

## Loke

Ok,

Ive got two gentoo setups, fairly equal, but 1 uses kde-3.0.4 and the other kde3.1beta2 and both run XFree 4.2.1. Ive successfully disabled listening for tcp connections on the kde-3.0.4 box, but following the exact same procedure for the kde-3.1beta2 box doesnt work:

```

cat /etc/X11/xdm/Xservers

:0 local /usr/X11R6/bin/X -nolisten tcp

```

And

```

cat /usr/X11R6/bin/startx

userclientrc=$HOME/.xinitrc

userserverrc=$HOME/.xserverrc

sysclientrc=/usr/X11R6/lib/X11/xinit/xinitrc

sysserverrc=/usr/X11R6/lib/X11/xinit/xserverrc

defaultclient=/usr/X11R6/bin/xterm

defaultserver=/usr/X11R6/bin/X

defaultclientargs=""

defaultserverargs="-nolisten tcp"

clientargs=""

serverargs=""

```

I use kdm as my login manager, and the code above should account for both starting X from startx and from an init script. In my /etc/rc.conf I have:

```

cat /etc/rc.conf

DISPLAYXSESSION=kdm

XSESSION=fluxbox

```

I chose fluxbox, because I want the startx command to start fluxbox, while I want KDE as a normal login through kdm. But after doing this, I portscan localhost:

```

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on localhost (127.0.0.1):

(The 1598 ports scanned but not shown below are in state: closed)

Port       State       Service

22/tcp     open        ssh

6000/tcp   open        X11

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

```

And as you can see, X is still listening for incomming tcp connections... Hmmm. Ive verified over and over that the scripts on this box and the other one is exactly the same. But on this box X still listens for tcp connections.

Any suggestions?

----------

## mglauche

I think scanning localhost is uninteresting. you should check it from another machine in the same network. disabling localhost network is usually a bad idea  :Smile: 

----------

## Loke

Same thing happens if I scan it from another host. I know nmap can produce strange results when scanning localhost, but in this case the X server is really listening for incomming tcp connections despite the fact that ive tried to disable it.

----------

## pjp

If you add the settings to serverargs, does that make a difference?

----------

## synonymousca

Wouldn't

```
netstat -a --inet -n -p | grep LISTEN
```

Be a lot easier than running netstat against yourself?

(Note that the -p option isn't all that useful re: system services when you're not doing it as root.)

----------

## Xor

I agree, to see what's on your system use netstat.. not nmap.. I myself would suggest to use (for tcp)

```
 netstat -t -n -p -l 
```

which also catches ipv6... as I have heard there going to be ipv6 in X11... and according to hearsay:

-nolisten tcp = listen on ipv6

-nolisten tcp6= listen on ipv4

but you can't disable it at all.... (if you have an ipv6 enabled X-Server)

----------

## mglauche

how about just putting a iptables rule in place ?

like iptables -I INPUT -p tcp --dport 6000 -j DROP

----------

## Xor

well that answer matches perfectly to your avatar....

----------

## kormoc

DeletedLast edited by kormoc on Mon Dec 24, 2018 9:19 am; edited 1 time in total

----------

## pjp

This post might help.

----------

## Loke

Thanks for every answer so far. As for using netstat, I dont see how that will prove an nmap of localhost provides false readings - since I can portscan from a remote host and still see kdm listening for tcp connections. And as for configuring XFS with -nolisten tcp, which is also a good tip, although I dont use XFS  :Wink: 

The last suggestion, about disabling network transparency might just be what Im looking for so thumbs up for that one  :Smile:  Because I do indeed have network transparency enabled on that box, and not the other - so I'll definetely try that!

Cheers all!

----------

