A scan of my system from a friend''s box has shown all my UDP ports to
be
open. Is this the default configuration for Shorewall and if it is, why?
Many thanks,
Simon
On Wed, 17 Apr 2002, Simon Turvey wrote:> A scan of my system from a friend''s box has shown all my UDP ports to be > open. Is this the default configuration for Shorewall and if it is, why? >Read the documentation of nmap CAREFULLY. If nmap does not get a "port unreachable" icmp response, then it reports the port open -- in particular, if it gets NO REPONSE it reports the port as open. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Aha, my apologies. Thanks for the quick response.
Any thoughts on the e-mail I accidentally sent to your personal address last
night regarding the display at startup of the fact that UDP 500, ESP, and AH
are permitted when tunnels are configured? At the moment this is a bit
hidden behind-the-scenes.
Thanks again,
Simon
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Simon Turvey" <turveysp@ntlworld.com>
Cc: <shorewall-users@shorewall.net>
Sent: Wednesday, April 17, 2002 5:00 PM
Subject: Re: [Shorewall-users] UDP ports
> On Wed, 17 Apr 2002, Simon Turvey wrote:
>
> > A scan of my system from a friend''s box has shown all my UDP
ports to be
> > open. Is this the default configuration for Shorewall and if it is,
why?> >
>
> Read the documentation of nmap CAREFULLY. If nmap does not get a "port
> unreachable" icmp response, then it reports the port open -- in
> particular, if it gets NO REPONSE it reports the port as open.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> AIM: tmeastep \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net
>
>
On Wed, 17 Apr 2002, Simon Turvey wrote:> Aha, my apologies. Thanks for the quick response. > > Any thoughts on the e-mail I accidentally sent to your personal address last > night regarding the display at startup of the fact that UDP 500, ESP, and AH > are permitted when tunnels are configured? At the moment this is a bit > hidden behind-the-scenes. >I guess that I have to wonder what you thought Shorewall was doing with the tunnel information if it wasn''t using it to allow the tunnel to work? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> On Wed, 17 Apr 2002, Simon Turvey wrote: > > > Aha, my apologies. Thanks for the quick response. > > > > Any thoughts on the e-mail I accidentally sent to your personal addresslast> > night regarding the display at startup of the fact that UDP 500, ESP,and AH> > are permitted when tunnels are configured? At the moment this is a bit > > hidden behind-the-scenes. > > > > I guess that I have to wonder what you thought Shorewall was doing with > the tunnel information if it wasn''t using it to allow the tunnel to work?Ah, you see, I prefer not to automatically assume that or that I have configured everything correctly. With this in mind I wanted to confirm that Shorewall was handling this correctly as opposed to me just having misconfigured something and allowing everything through. I figured it was quicker to ask you this than trawl through an iptables -L manually. Thanks, Simon
Simon Turvey wrote:> ... > > I guess that I have to wonder what you thought Shorewall was doing with > > the tunnel information if it wasn''t using it to allow the tunnel to work? > > Ah, you see, I prefer not to automatically assume that or that I have > configured everything correctly. With this in mind I wanted to confirm that > Shorewall was handling this correctly as opposed to me just having > misconfigured something and allowing everything through. I figured it was > quicker to ask you this than trawl through an iptables -L manually.But you would have learned a lot more by trawling through the iptables -L manually... :-) Paul http://paulgear.webhop.net
On Thu, 18 Apr 2002, Paul Gear wrote:> Simon Turvey wrote: > > > ... > > > I guess that I have to wonder what you thought Shorewall was doing with > > > the tunnel information if it wasn''t using it to allow the tunnel to work? > > > > Ah, you see, I prefer not to automatically assume that or that I have > > configured everything correctly. With this in mind I wanted to confirm that > > Shorewall was handling this correctly as opposed to me just having > > misconfigured something and allowing everything through. I figured it was > > quicker to ask you this than trawl through an iptables -L manually. > > But you would have learned a lot more by trawling through the iptables -L > manually... :-) >Nevertheless, I''ve updated the IPSEC documentation to make it clear what the entries in /etc/shorewall/tunnels do. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net