[Shorewall-newbies] UDP replys not dropped

Ingo Lantschner ingo.lists at vum.at
Tue Jan 6 16:43:48 PST 2004


Hi all,

just wondered about the following:

20:35:05.854626 63.157.132.36.1027 > 212.183.87.108.netbios-ns: NBT UDP \
PACKET(137): QUERY; REQUEST; BROADCAST
20:35:05.854884 212.183.87.108 > 63.157.132.36: icmp: 212.183.87.108 udp \
port netbios-ns unreachable [tos 0xc0]

because i have the following policy:

#SOURCE         DEST            POLICY

loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

and nothing about netbios-ns or 135 in the policy-file.

For my understanding, the fw should NOT answer the udp-packet.

I thought it is because UDP is connectionless, and so the FW can not 
check, if it is part of a ongoing communication??

The problem I have, is that such trafic makes the "idle 60" option in my 
/etc/ppp/options useless, because there is always such a request within 60 
seconds. So the modem never hangs up.

Regards, Ingo.


-- 
 Tel +43-1-5955766
 Mobil +43-664-1438418
 Web http://ingo.netomania.at/
 -------------------------------------------
       Ihr und Wir -- Bino na Biso 
 http://ingo.netomania.at/bnb/de/index.html
--------------------------------------------



More information about the Shorewall-newbies mailing list