Hi All, I am new to Shorewall, and iptables in general, so please excuse any lameness. I am running Redhat 7.2, Kernel 2.4.9-13, Shorewall v1.21, and will provide config files available upon request. I am primarily using www.sygatetech.com to test the firewall. I have just installed Shorewall and have it more or less working properly, or at least securely, with the exception of a few unexplained inconsistencies. I experienced a problem similar to Andy''s where "dropping" AUTH/port-113 requests was slowing down my email delivery by as much as 30 seconds or so. As per the recommendation on this list I tried all of the following lines in my rules file: ACCEPT net fw tcp auth REJECT net fw tcp auth ACCEPT net fw tcp ident REJECT net fw tcp ident ACCEPT net fw tcp 113 REJECT net fw tcp 113 When I do any of the above lines I get a change on port 80. Before adding these lines port 80 always showed up as being stealthed (dropped) but after adding either of these 2 lines port 80 becomes closed (rejected). I am not changing anything else other than the port 113/auth/ident line in the rules file. Why does changing port 113 also change port 80? How do I drop port 80 but reject port 113? I am also wondering if anyone is aware of a good log parser that can handle the Shorewall entries in the messages log, preferably something with reverse DNS lookup and a color enhanced HTML output. Thanks, Mike mike@kites.org If I claim to be a wise man..... It surely means that I don''t know........
On Sunday 06 January 2002 11:04 am, Mike Petro wrote:> Hi All, > > I am new to Shorewall, and iptables in general, so please excuse any > lameness. I am running Redhat 7.2, Kernel 2.4.9-13, Shorewall v1.21, and > will provide config files available upon request. I am primarily using > www.sygatetech.com to test the firewall. > > I have just installed Shorewall and have it more or less working > properly, or at least securely, with the exception of a few unexplained > inconsistencies. > > I experienced a problem similar to Andy''s where "dropping" AUTH/port-113 > requests was slowing down my email delivery by as much as 30 seconds or > so. As per the recommendation on this list I tried all of the following > lines in my rules file: > ACCEPT=09net=09fw=09tcp=09auth > REJECT=09net =09fw=09tcp=09auth > ACCEPT=09net=09fw=09tcp=09ident > REJECT=09net =09fw=09tcp=09ident > ACCEPT=09net=09fw=09tcp=09113 > REJECT=09net =09fw=09tcp=09113 > When I do any of the above lines I get a change on port 80. Before > adding these lines port 80 always showed up as being stealthed (dropped) > but after adding either of these 2 lines port 80 becomes closed > (rejected). I am not changing anything else other than the port > 113/auth/ident line in the rules file. Why does changing port 113 also > change port 80? How do I drop port 80 but reject port 113?I suspect that it is a "feature'' of sygatetech''s scanning technique -- some=20 of these services do things differently depending on what they get back from=20 a port 113 scan/request. What net->fw rules do you have in place? -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4
On Sunday 06 January 2002 11:20 am, I wrote:> > I suspect that it is a "feature'' of sygatetech''s scanning technique -- some > of these services do things differently depending on what they get back > from a port 113 scan/request.If you would like me to scan your system with nmap, just send me the IP=20 address. -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4