[Shorewall-users] Ports 139 and 445 are accepted after upgrade

Tom Eastep teastep at shorewall.net
Wed Dec 31 07:27:09 PST 2003


On Wednesday 31 December 2003 04:20 am, Mario Juric wrote:

>
> I have without success searched the mandrake site and the web for anything
> describing a similar problem just to get an indication where the problem
> actually is. Finally, I have decided to revert to my backed up 9.1
> installation. If anyone runs into similar problems and finds some answers,
> please send me a notice. Thanks.
>

Mario, if you would install a fresh version of Shorewall right out of the box 
it would work exactly as your report (see FAQ #4). The fact that it didn't 
work that way before the upgrade suggests to me that either:

a) you (or possibly Mandrake) modified the /etc/shorewall/common.def file in 
that you were previously using. When you upgraded, a new common.def file 
overwrote your old one and the default behavior was restored; or

b) you (or possibly Mandrake) had previously created /etc/shorewall/common and 
added a set of rules that dropped SMB noise and that file is no longer 
present after the upgrade; or

c) you were previously running an old enough version of Shorewall that ports 
139 and 445 weren't REJECTed (but it would have had to have been *quite* 
old).

In any event, the port-scan results that you report DO NOT MEAN THAT THERE IS 
A SECURITY HOLE. In merely means that your firewall is REJECTing connection 
requests on these ports rather than ignoring them.

Finally, I've had so many people report this "bug" in Shorewall that I've 
given up; in Shorewall 1.4.9 Shorewall will silently drop all Windows SMB 
noise rather than reject it so that I don't get more of these "There is a 
horrible hole in my firewall" reports. So if you upgrade to the 1.4.9 Beta 
(either 1 or 2), you will eliminate this non-problem once and for all.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list