[Shorewall-users] Policy Rules not working as expected (fwd)
Thu, 25 Apr 2002 16:28:02 -0700 (Pacific Daylight Time)
On Thu, 25 Apr 2002, Jerry Vonau wrote:
> Hi David:
> could this be the problem:
> ACCEPT net fw udp 137:139
> shouldn't that be 137,139??
No -- UDP 138 is the netbios datagram service which you need to allow.
> To everybody:
> to limit access, can't you do something like:
> ACCEPT net fw udp 137,139
> - <ip of allowed comp>
No -- that is an invalid rule. The correct way to do that would be:
ACCEPT net:<ip of allowed comp> fw udp 137:139
Alas, David has dynamic IPs.
I've been working privately with David and his situation is very odd. The
packets that are getting rejected have SOURCE port 137 so they look like
replies but there is NO entry in the connection tracking table that
matches these packets. This means that the RELATED, ESTABLISHED rule at
the head of the 'net2fw' chain is not passing the packets as it normally
David and I welcome other ideas. If David hasn't made any more progress,
we have to start looking at tcpdump traces.
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org