[Shorewall-users] Policy Rules not working as expected (fwd)
Thu, 25 Apr 2002 20:02:38 -0500
Tom Eastep wrote:
> On Thu, 25 Apr 2002, Jerry Vonau wrote:
> > Hi David:
> > could this be the problem:
> > ACCEPT net fw udp 137:139
> > #SAMBA
> > shouldn't that be 137,139??
> No -- UDP 138 is the netbios datagram service which you need to allow.
I was referring to the syntax of the port range, not the
Which is correct 137:139 137,139 or both?
> > To everybody:
> > to limit access, can't you do something like:
> > ACCEPT net fw udp 137,139
> > - <ip of allowed comp>
> No -- that is an invalid rule. The correct way to do that would be:
> ACCEPT net:<ip of allowed comp> fw udp 137:139
OK, I blew that one..... Must think before speaking or at
least look at
my own rules. ;-)
> Alas, David has dynamic IPs.
> I've been working privately with David and his situation is very odd. The
> packets that are getting rejected have SOURCE port 137 so they look like
> replies but there is NO entry in the connection tracking table that
> matches these packets. This means that the RELATED, ESTABLISHED rule at
> the head of the 'net2fw' chain is not passing the packets as it normally
That is a little weird, problems with ip_conntrack? That is
not very reassuring.
Just curious, what kernel version is this puppy running?
> David and I welcome other ideas. If David hasn't made any more progress,
> we have to start looking at tcpdump traces.
Going on the assumption that there is a hub/switch between
the 2 computers
and the adsl modem, could you not use MAC addresses to