Using Shorewall v1.2, and testing the firewall using scan.sygate.com, I am informed that several ports (web (80), ident (113) and DCE locator (135) are ''closed'' rather than ''blocked''. All other ports show as blocked or ''stealthed''. I haven''t set up any rules or policies that have anything to do with 80, 113 or 135. Is this normal shorewall behaviour or have I possibly mis-configured something? By the way, I''ve been playing with a variety of Linux firewall tools for several years and Shorewall is by far the best working, best documented, best supported that I have seen. I can and will unreservedly recommend it anytime. Thanks to all of you who have developed or supported Shorewall - good job! Roy Barkas Australia
On Mon, 29 Apr 2002, Roy Barkas wrote:> Using Shorewall v1.2, and testing the firewall using scan.sygate.com, I > am informed that several ports (web (80), ident (113) and DCE locator > (135) are ''closed'' rather than ''blocked''. > > All other ports show as blocked or ''stealthed''. > > I haven''t set up any rules or policies that have anything to do with 80, > 113 or 135. > > Is this normal shorewall behaviour or have I possibly mis-configured > something? >I suspect that your ISP is blocking port 80 -- The default Shorewall rules file in the samples REJECTS port 113 and I recommend that you leave it that way to avoid problems connecting to some services. The common.def file rejects port 135.> By the way, I''ve been playing with a variety of Linux firewall tools for > several years and Shorewall is by far the best working, best documented, > best supported that I have seen. I can and will unreservedly recommend > it anytime. Thanks to all of you who have developed or supported > Shorewall - good job! >Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Paul Gear
2002-Apr-30 10:27 UTC
[Shorewall-devel] Re: [Shorewall-users] ports ''closed'', not ''blocked''???
Tom Eastep wrote:> ... > The default Shorewall > rules file in the samples REJECTS port 113 and I recommend that you leave > it that way to avoid problems connecting to some services. The common.def > file rejects port 135.Tom, I think it would be worth documenting (somewhere) the reason that these services are rejected rather than dropped. These automated scanners routinely tell people that they should be dropping, not rejecting, so it would be nice to provide them with a reason. Paul http://paulgear.webhop.net
Tom Eastep
2002-Apr-30 14:04 UTC
[Shorewall-devel] Re: [Shorewall-users] ports ''closed'', not ''blocked''???
On Tue, 30 Apr 2002, Paul Gear wrote:> I think it would be worth documenting (somewhere) the reason that these > services are rejected rather than dropped. These automated scanners > routinely tell people that they should be dropping, not rejecting, so it > would be nice to provide them with a reason.I''ve added FAQs 16 and 17. 17 addresses your concern. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net