From owner-freebsd-questions@FreeBSD.ORG Thu Mar 2 14:32:44 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67BD916A420 for ; Thu, 2 Mar 2006 14:32:44 +0000 (GMT) (envelope-from rgrempel@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB9D43D5A for ; Thu, 2 Mar 2006 14:32:37 +0000 (GMT) (envelope-from rgrempel@gmail.com) Received: by pproxy.gmail.com with SMTP id x66so110570pye for ; Thu, 02 Mar 2006 06:32:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VhKnvYECJoXLYQorpvkFkrTzp7zjkCKRS8BEpS68MQ9UOGsTmFPTq4Q+dcHqcY18jbmVnsw3bspLp0Dl0jiMuiv/ymJxAxOlEFBRlGsKb0IsHxhdmdxFwzY/6Wy+yDemuj/2oHf/YFYjU56uhHdvtyjnlYoxKAEpXVPs0ooDcYI= Received: by 10.64.149.13 with SMTP id w13mr692300qbd; Thu, 02 Mar 2006 06:32:36 -0800 (PST) Received: by 10.65.40.15 with HTTP; Thu, 2 Mar 2006 06:32:36 -0800 (PST) Message-ID: Date: Thu, 2 Mar 2006 08:32:36 -0600 From: "Ryan Rempel" To: "matthew@acintrix.net" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-questions@freebsd.org Subject: Re: FreeNX in FreeBSD Jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2006 14:32:44 -0000 On 3/1/06, Ryan Rempel wrote: > > On 2/28/06, matthew@acintrix.net wrote: > > Has anyone had any experience running FreeNX in a FreeBSD Jail. It > > starts to connect then goes to connection failed, I can use XDMCP from = the > > same box and everything works fine, any suggestions? Thanks in Advance. > > I've done it, so it is possible to get it to work. I can't remember now i= f > there were any partiuclar issues in setting it up -- one suggestion would= be > to check the log files for something that might shed light. I forgot -- there was an issue when I set this up. There is code in the nxserver, in nxcomp/Loop.cpp, that checks whether the connection is coming from an expected IP address (or something like that). What seems to happen is that it gets confused by the way that 127.0.0.1 in the jail gets translated to the jail's IP address, so it thinks they don't match. I made a patch for net/nxserver that kind of fixes the problem, but I should emphasize that this isn't a proper patch -- it just bypasses the check entirely, rather than trying to do it correctly in the jail. So it probably defeats something which contributes to security. That having been said, here's the patch: --- nxcomp/Loop.cpp.orig Sat Feb 5 14:10:48 2005 +++ nxcomp/Loop.cpp Thu Mar 2 08:15:12 2006 @@ -4567,7 +4567,8 @@ char *connectedHost =3D inet_ntoa(newAddr.sin_addr); unsigned int connectedPort =3D ntohs(newAddr.sin_port); - if (*acceptHost =3D=3D '\0' || (int) newAddr.sin_addr.s_addr =3D=3D = acceptIPAddr) +// if (*acceptHost =3D=3D '\0' || (int) newAddr.sin_addr.s_addr =3D=3D = acceptIPAddr) + if (1) { #if defined(INFO) || defined (TEST) *logofs << "Loop: Accepted connection from '" << connectedHost