Shorewall devel - Apr 2002 - ports ''closed'', not ''blocked''???

Using Shorewall v1.2, and testing the firewall using scan.sygate.com, I
am informed that several ports (web (80), ident (113) and DCE locator
(135) are ''closed'' rather than ''blocked''.
 
All other ports show as blocked or ''stealthed''.
 
I haven''t set up any rules or policies that have anything to do with
80,
113 or 135. 
 
Is this normal shorewall behaviour or have I possibly mis-configured
something?
 
By the way, I''ve been playing with a variety of Linux firewall tools
for
several years and Shorewall is by far the best working, best documented,
best supported that I have seen.  I can and will unreservedly recommend
it anytime.  Thanks to all of you who have developed or supported
Shorewall - good job!
 
Roy Barkas
Australia

On Mon, 29 Apr 2002, Roy Barkas wrote:
> Using Shorewall v1.2, and testing the firewall using scan.sygate.com, I
> am informed that several ports (web (80), ident (113) and DCE locator
> (135) are ''closed'' rather than
''blocked''.
>  
> All other ports show as blocked or ''stealthed''.
>  
> I haven''t set up any rules or policies that have anything to do
with 80,
> 113 or 135. 
>  
> Is this normal shorewall behaviour or have I possibly mis-configured
> something?
>
I suspect that your ISP is blocking port 80 -- The default Shorewall 
rules file in the samples REJECTS port 113 and I recommend that you leave 
it that way to avoid problems connecting to some services. The common.def 
file rejects port 135.
  
> By the way, I''ve been playing with a variety of Linux firewall
tools for
> several years and Shorewall is by far the best working, best documented,
> best supported that I have seen.  I can and will unreservedly recommend
> it anytime.  Thanks to all of you who have developed or supported
> Shorewall - good job!
>  
Thanks!
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> ...
> The default Shorewall
> rules file in the samples REJECTS port 113 and I recommend that you leave
> it that way to avoid problems connecting to some services. The common.def
> file rejects port 135.
Tom,

I think it would be worth documenting (somewhere) the reason that these
services are rejected rather than dropped.  These automated scanners
routinely tell people that they should be dropping, not rejecting, so it
would be nice to provide them with a reason.

Paul
http://paulgear.webhop.net

On Tue, 30 Apr 2002, Paul Gear wrote:
> I think it would be worth documenting (somewhere) the reason that these
> services are rejected rather than dropped.  These automated scanners
> routinely tell people that they should be dropping, not rejecting, so it
> would be nice to provide them with a reason.
I''ve added FAQs 16 and 17. 17 addresses your concern.

Thanks,
-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net