[Shorewall-newbies] Shorewall 1.4.9 + Reject/Drop/Stealth

Ow Mun Heng ow.mun.heng at wdc.com
Tue Jan 27 15:07:10 PST 2004

> -----Original Message-----
> From: Tom Eastep [mailto:teastep at shorewall.net]
> Sent: Wednesday, January 14, 2004 5:52 AM

Shorewall version 1.4.7
iptables 1.2.7a
RH9 + Kernel 2.4.24

Quoting from the release notes
2) To cut down on the number of "Why are these ports closed rather than
   stealthed?" questions, the SMB-related rules in
   /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
So.. does this mean that now, when I audit/scan my PC's firewall rules
from places like auditmypc.com etc.. I won't get the <CLOSED> status? and 
then having them tell me that my ports are actually responding and that 
is not a good way to go??

I tried changing the all2all from REJECT to DROP and re-running it, but
still get the warning.

Challenge my understanding(or lack of).. Please.

2nd one..

6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
   (non-syn TCP packets that are not part of an existing connection are
   filtered according to the rules and policies rather than being
   dropped). I have made this change for two reasons:

   a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
   any timeout during TCP session tear down results in the firewall
   dropping all of the retries.

   b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
   lots of confusing messages when a connection got "stuck". While I
   could have changed the default value of LOGNEWNOTSYN to suppress
   logging, I dislike defaults that silently throw away packets.

During my web-surfing sessions, I tend to see a few of these newnotsyn
and I'm wonderig if this is cos the webserver's actually just pinging (some
are ICMP packets)
my box due to item 6(a)

More information about the Shorewall-newbies mailing list