Shorewall users - Dec 2003 - Re: Shorewall-users Digest, Vol 13, Issue 9

Hello,

You are over engineering your firewall rules .. Real does not need to 
connect to your client machine ..

It tries to do that idiotic pop-up .. You can drop the 6970,6971 requests

I personally do the reverse .. on out bound that is .. I block all the 
nasty ports .. and allow the rest ..

This serves a Baltimore Row House with 4 wireless clients off one ADSL 
connection.

No one has complained yet about anything related to using the Internet and 
they are protected from it .. And themselves ..

My Rules ... Including DMZ Rules ..

<snip>

# No Logging Bogus In-Bound Real
DROP            net             loc             udp     6970:7170
#MicroCrap Ports
DROP            loc             net             tcp 
135,139,445,593,666:765,1433,1434,1728,3333,4444,5732
DROP            loc             dmz             udp 
69,135,137,138,1433,1434
DROP            loc             dmz             tcp 
135,139,445,593,666:765,1214,1433,1434,1728,3333,4444,5732
DROP            loc             net             udp 
69,135,137,138,1433,1434

Note: The DROP rule suppresses the logging of the real pop up requests .

Francesca

At 11:28 AM 12/3/2003, you wrote:
>Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0 OUT=wlan0
>SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
>ID=52571
>PROTO=UDP SPT=1339 DPT=6790 LEN=500
>
>Whats my mistake now ?
>
>Oliver
"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith@ladylinux.com