I just started playing with shorewall and I hope to use it to set up a firewall VPN solution for a research lab I look after. What is port 135 and why is it open by default?
It''s one of the Microsoft netbios ports and it''s NOT open by default. -Tom ----- Original Message ----- From: "Randy Millis" <randy.millis@shaw.ca> To: <shorewall-users@shorewall.net> Sent: Saturday, March 09, 2002 2:56 PM Subject: [Shorewall-users] port 135?> I just started playing with shorewall and I hope to use it to set up a > firewall VPN solution for a research lab I look after. What is port 135and> why is it open by default? > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
dgilleece
2002-Mar-10 15:59 UTC
[Shorewall-users] SNMP Rejected in all2all, Despite Rules?
Hi Tom, I''ve hit a snag that could use a few of your brain cycles :) I have a system that is running 1.2.5 at a client site, and I''d like to upgrade it, but I can''t get phyically at the machine for another couple of weeks. So, for now, 1.2.5 it is. I don''t know if the version matters for this particular behavior or not. You may recall, this is the config you helped me build for a legally-addressed /25 subnet. It all works beautifully, other than my inability to get MRTG stats from the firewall. Here''s the scenario: ISP | | ______________ 209.98.33.123 eth0 | SHOREWALL BOX Proxy ARP | eth1 192.168.2.1 ______________ | | | Protected Subnet +-----+--------------+----- 209.98.33.0/25 | | | | 209.98.33.122 Running MRTG (also has 209.98.33.125 outside firewall, running PopTop host) The problem is SNMP packets getting rejected in the all2all chain, apparently as the replies try to exit (?) like so: MRTG cfgmaker barfs (selected sampling): SNMPv1_Session (remote host: "209.98.33.123" [209.98.33.123].161) community: "public123" - - SNMPWALK Problem for 1.3.6.1.2.1.2.2.1.7 on public123@209.98.33.123 --base: Walking ifOperStatus SNMP Error: no response received Log shows: Mar 10 10:00:48 netgate kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.2.1 DST=209.98.33.122 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=161 DPT=1057 LEN=215 My rules are setup like so: ACCEPT loc fw udp snmp ACCEPT fw loc udp snmp Policy: (default) #CLIENT SERVER POLICY LOG LEVEL loc loc ACCEPT loc net ACCEPT net all DROP info all all REJECT info Interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 255.255.255.128 norfc1918 loc eth1 255.255.255.128 routestopped The curious thing: while the SNMP requests are directed at 209.98.33.123, the firewall gags on 192.168.2.1 --- the "dummy" interface that is allegedly transparent. Would it make a difference in this scenario to assign a real address to that interface (we have plenty to spare)? Or is there something obvious I''m just "missing?" Thanks, as always, Dan