[Shorewall-users] Policy Rules not working as expected (fwd)

Jerry Vonau jvonau@shaw.ca
Thu, 25 Apr 2002 20:02:38 -0500


Tom:

Tom Eastep wrote:
> 
> On Thu, 25 Apr 2002, Jerry Vonau wrote:
> 
> > Hi David:
> >
> > could this be the problem:
> >
> > ACCEPT          net     fw              udp     137:139
> > #SAMBA
> >
> > shouldn't that be 137,139??
> 
> No -- UDP 138 is the netbios datagram service which you need to allow.

I was referring to the syntax of the port range, not the
ports involved.
Which is correct 137:139 137,139 or both?

> >
> > To everybody:
> >
> > to limit access, can't you do something like:
> >
> > ACCEPT          net     fw              udp     137,139
> > -    <ip of allowed comp>
> >
> 
> No -- that is an invalid rule. The correct way to do that would be:
> 
> ACCEPT  net:<ip of allowed comp>        fw      udp     137:139
> 

OK, I blew that one..... Must think before speaking or at
least look at
my own rules. ;-)


> Alas, David has dynamic IPs.
> 
> I've been working privately with David and his situation is very odd. The
> packets that are getting rejected have SOURCE port 137 so they look like
> replies but there is NO entry in the connection tracking table that
> matches these packets. This means that the RELATED, ESTABLISHED rule at
> the head of the 'net2fw' chain is not passing the packets as it normally
> would.

That is a little weird, problems with ip_conntrack? That is
not very reassuring.
Just curious, what kernel version is this puppy running?
 
> David and I welcome other ideas. If David hasn't made any more progress,
> we have to start looking at tcpdump traces.

Going on the assumption that there is a hub/switch between
the 2 computers
and the adsl modem, could you not use MAC addresses to
filter on?
 

Jerry