[Shorewall-newbies] UDP replys not dropped

Tom Eastep teastep at shorewall.net
Tue Jan 6 08:59:18 PST 2004


On Tuesday 06 January 2004 07:43 am, Ingo Lantschner wrote:
> Hi all,
>
> just wondered about the following:
>
> 20:35:05.854626 63.157.132.36.1027 > 212.183.87.108.netbios-ns: NBT UDP \
> PACKET(137): QUERY; REQUEST; BROADCAST
> 20:35:05.854884 212.183.87.108 > 63.157.132.36: icmp: 212.183.87.108 udp \
> port netbios-ns unreachable [tos 0xc0]
>
> because i have the following policy:
>
> #SOURCE         DEST            POLICY
>
> loc             net             ACCEPT
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> and nothing about netbios-ns or 135 in the policy-file.
>
> For my understanding, the fw should NOT answer the udp-packet.
>
> I thought it is because UDP is connectionless, and so the FW can not
> check, if it is part of a ongoing communication??
>
> The problem I have, is that such trafic makes the "idle 60" option in my
> /etc/ppp/options useless, because there is always such a request within 60
> seconds. So the modem never hangs up.
>

a) cd /etc/shorewall
b) cp common.def common
c) <edit 'common' and replace the REJECT to DROP for UDP 137:139>
d) shorewall restart

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list