Mark Cheney
2003-Jan-06 02:08 UTC
[Shorewall-users] Help denying request attempts at TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''.
Hi all, I have shorewall up and running on my system. (GNU-Linux Mandrake 9) When I tested my firewall at grc.com, Shields-Up informs me that ports 113 and 135 are closed and not ''stealthed'' When reading the faq on the Shorewall site I saw that shorewall rejects rather than denys connection requests on ''TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''. The file /etc/shorewall/common.def advises me not to edit the file but rather to create a new one. Can anyone give me an idea on how to do this so that the above ports deny request attempts. I guess this must be a fairly common question on the list, but a search yielded nothing at the mailing list archive. Thanks for any help. Mark Cheney.
Vincent Bernat
2003-Jan-06 04:01 UTC
[Shorewall-users] Help denying request attempts at TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''.
OoO En cette fin de matin?e radieuse du lundi 06 janvier 2003, vers 11:08, Mark Cheney <chenes@powerup.com.au> disait:> When reading the faq on the Shorewall site I saw that shorewall rejects rather > than denys connection requests on ''TCP ports 113, 135, 137 and 139 > as well as UDP ports 137-139''.> The file /etc/shorewall/common.def advises me not to edit the file but rather > to create a new one.> Can anyone give me an idea on how to do this so that the above ports deny > request attempts.You mean "drop" ? Depending of your policy, I think an empty file will just do the trick. -- BOFH excuse #52: Smell from unhygenic janitorial staff wrecked the tape heads
Tom Eastep
2003-Jan-06 05:44 UTC
[Shorewall-users] Help denying request attempts at TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''.
--On Monday, January 06, 2003 01:01:07 PM +0100 Vincent Bernat <bernat@free.fr> wrote:> >> The file /etc/shorewall/common.def advises me not to edit the file but >> rather to create a new one. > >> Can anyone give me an idea on how to do this so that the above ports >> deny request attempts. > > You mean "drop" ? Depending of your policy, I think an empty file will > just do the trick.A better approach is to: a) create the new /etc/shorewall/common file. b) copy the relevant rules from common.def to common c) change the target in the rules from ''reject'' to DROP d) make the last line in the file ". /etc/shorewall/common.def" Make a note to yourself to not come whining to the list when you can''t connect to many FTP sites. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Mark Cheney
2003-Jan-06 06:31 UTC
[Shorewall-users] Help denying request attempts at TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''.
Thank you Vincent and Tom, using the method that Tom recommends I so far am having no problems with FTP. I''ll keep my fingers crossed. Thanks again for your help. Mark Cheney. On Mon, 6 Jan 2003 11:44 pm, Tom Eastep wrote:> >> The file /etc/shorewall/common.def advises me not to edit the file but > >> rather to create a new one. > >> > >> Can anyone give me an idea on how to do this so that the above ports > >> deny request attempts. > > > > You mean "drop" ? Depending of your policy, I think an empty file will > > just do the trick. > > A better approach is to:> Make a note to yourself to not come whining to the list when you can''t > connect to many FTP sites. > > -Tom
Tom Eastep
2003-Jan-06 06:34 UTC
[Shorewall-users] Help denying request attempts at TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''.
--On Tuesday, January 07, 2003 12:31:06 AM +1000 Mark Cheney <chenes@powerup.com.au> wrote:> Thank you Vincent and Tom, using the method that Tom recommends I so far > am having no problems with FTP. I''ll keep my fingers crossed. >FTP isn''t the only outgoing connection that will eventually give you problems. It was just the one that came to mind as I was writing my response. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net