[Shorewall-users] Policy Rules not working as expected (fwd)

Tom Eastep teastep@shorewall.net
Thu, 25 Apr 2002 16:28:02 -0700 (Pacific Daylight Time)


On Thu, 25 Apr 2002, Jerry Vonau wrote:

> Hi David:
>
> could this be the problem:
>
> ACCEPT          net     fw              udp     137:139
> #SAMBA
>
> shouldn't that be 137,139??

No -- UDP 138 is the netbios datagram service which you need to allow.

>
> To everybody:
>
> to limit access, can't you do something like:
>
> ACCEPT          net     fw              udp     137,139
> -    <ip of allowed comp>
>

No -- that is an invalid rule. The correct way to do that would be:

ACCEPT	net:<ip of allowed comp>	fw	udp	137:139

Alas, David has dynamic IPs.

I've been working privately with David and his situation is very odd. The
packets that are getting rejected have SOURCE port 137 so they look like
replies but there is NO entry in the connection tracking table that
matches these packets. This means that the RELATED, ESTABLISHED rule at
the head of the 'net2fw' chain is not passing the packets as it normally
would.

David and I welcome other ideas. If David hasn't made any more progress,
we have to start looking at tcpdump traces.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net