[Shorewall-newbies] UDP replys not dropped
teastep at shorewall.net
Tue Jan 6 08:59:18 PST 2004
On Tuesday 06 January 2004 07:43 am, Ingo Lantschner wrote:
> Hi all,
> just wondered about the following:
> 20:35:05.854626 22.214.171.124.1027 > 126.96.36.199.netbios-ns: NBT UDP \
> PACKET(137): QUERY; REQUEST; BROADCAST
> 20:35:05.854884 188.8.131.52 > 184.108.40.206: icmp: 220.127.116.11 udp \
> port netbios-ns unreachable [tos 0xc0]
> because i have the following policy:
> #SOURCE DEST POLICY
> loc net ACCEPT
> fw net ACCEPT
> net all DROP info
> all all REJECT info
> and nothing about netbios-ns or 135 in the policy-file.
> For my understanding, the fw should NOT answer the udp-packet.
> I thought it is because UDP is connectionless, and so the FW can not
> check, if it is part of a ongoing communication??
> The problem I have, is that such trafic makes the "idle 60" option in my
> /etc/ppp/options useless, because there is always such a request within 60
> seconds. So the modem never hangs up.
a) cd /etc/shorewall
b) cp common.def common
c) <edit 'common' and replace the REJECT to DROP for UDP 137:139>
d) shorewall restart
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies