Shorewall users - Mar 2002 - port 135?

I just started playing with shorewall and I hope to use it to set up a
firewall VPN solution for a research lab I look after. What is port 135 and
why is it open by default?

It''s one of the Microsoft netbios ports and it''s NOT open by
default.

-Tom
----- Original Message -----
From: "Randy Millis" <randy.millis@shaw.ca>
To: <shorewall-users@shorewall.net>
Sent: Saturday, March 09, 2002 2:56 PM
Subject: [Shorewall-users] port 135?

> I just started playing with shorewall and I hope to use it to set up a
> firewall VPN solution for a research lab I look after. What is port 135
and
> why is it open by default?
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Hi Tom,

I''ve hit a snag that could use a few of your brain cycles :)

I have a system that is running 1.2.5 at a client site, and I''d like to
upgrade it, but I can''t get phyically at the machine for another couple
of
weeks.  So, for now, 1.2.5 it is.  I don''t know if the version matters
for
this particular behavior or not.

You may recall, this is the config you helped me build for a
legally-addressed /25 subnet.  It all works beautifully, other than my
inability to get MRTG stats from the firewall.  Here''s the scenario:


ISP
 |
 |
______________
209.98.33.123
eth0
 |
SHOREWALL BOX Proxy ARP
 |
eth1
192.168.2.1
______________
 |
 |
 |                            Protected Subnet
 +-----+--------------+-----  209.98.33.0/25
       |              |
       |              |
    209.98.33.122
    Running MRTG
(also has 209.98.33.125 outside firewall, running PopTop host)



The problem is SNMP packets getting rejected in the all2all chain,
apparently as the replies try to exit (?) like so:

MRTG cfgmaker barfs (selected sampling):

   SNMPv1_Session (remote host: "209.98.33.123" [209.98.33.123].161)
                  community: "public123"
   -
   -
   SNMPWALK Problem for 1.3.6.1.2.1.2.2.1.7 on public123@209.98.33.123
   --base: Walking ifOperStatus

   SNMP Error:
   no response received


Log shows:

   Mar 10 10:00:48 netgate kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
   SRC=192.168.2.1 DST=209.98.33.122 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0
   DF PROTO=UDP SPT=161 DPT=1057 LEN=215


My rules are setup like so:

   ACCEPT          loc    fw                     udp     snmp
   ACCEPT          fw     loc                    udp     snmp

Policy: (default)

   #CLIENT         SERVER          POLICY          LOG LEVEL
   loc             loc             ACCEPT
   loc             net             ACCEPT
   net             all             DROP            info
   all             all             REJECT          info

Interfaces:

   #ZONE    INTERFACE      BROADCAST       OPTIONS
   net     eth0            255.255.255.128 norfc1918
   loc     eth1            255.255.255.128 routestopped


The curious thing: while the SNMP requests are directed at 209.98.33.123,
the firewall gags on 192.168.2.1 --- the "dummy" interface that is
allegedly
transparent.  Would it make a difference in this scenario to assign a real
address to that interface (we have plenty to spare)?  Or is there something
obvious I''m just "missing?"

Thanks, as always,

Dan