[Shorewall-newbies] UDP replys not dropped

Ingo Lantschner ingo.lists at vum.at
Wed Jan 7 18:30:46 PST 2004


> a) cd /etc/shorewall
> b) cp common.def common
> c) <edit 'common' and replace the REJECT to DROP for UDP 137:139>
> d) shorewall restart

Hi Tom, first of all thanks for your answer! Following your proposal I
still got this from tcpdump -i ppp0

16:53:55.240375 212.183.103.163.2637 > 212.183.92.18.135: S 
16:53:55.240601 212.183.92.18.135 > 212.183.103.163.2637: R 
...
16:55:59.210377 212.183.232.40.1104 > 212.183.92.18.microsoft-ds: S 
16:55:59.210632 212.183.92.18.microsoft-ds > 212.183.232.40.1104: R 

After a while I realized that these were *TCP* -requests, which are
rejectted by a rule in common. Changing common:

run_iptables -A common -p udp --dport 135         -j DROP
run_iptables -A common -p udp --dport 137:139     -j DROP
run_iptables -A common -p udp --dport 445         -j DROP
run_iptables -A common -p tcp --dport 139         -j DROP
run_iptables -A common -p tcp --dport 445         -j DROP
run_iptables -A common -p tcp --dport 135         -j DROP

Now it seems as if I have peace from these Netbios-chatter :-)

But also I have every minute this one:
16:56:08.890368 195.3.95.5 > 224.0.0.1: igmp query v2 [ttl 1]

So the idle-option of pppd does never work.

May be, that I am asking too much from a firewall, if I want it to protect 
my dialup-connection from any packet of the outside ...

Beside of this, Shorewall is an exceptional usefull tool, and the 
documentation is a dream! Since it is available also in French, we will 
use it soon in a BnB-Project in Congo, very helpfull for us - thanks!

Bye, Ingo.



-- 
 Tel +43-1-5955766
 Mobil +43-664-1438418
 Web http://ingo.netomania.at/
 -------------------------------------------
       Ihr und Wir -- Bino na Biso 
 http://ingo.netomania.at/bnb/de/index.html
--------------------------------------------



More information about the Shorewall-newbies mailing list