Shorewall users - Jan 2003 - Shorewall and NIS, Why Reject...

The reason these are rejected and not dropped are that many programs use 
Ident as a way to validate the client. If the host gets no reply (even a 
reject) it will hang waiting. This is the reason you see people complain 
about slow POP access or FTP lag., etc. Oh yea, don''t try and go near
IRC
without Ident....

Wayne

> Hi John,
> 
> Recently I requested much the same info.
> 
> Perhaps this will help.
> 
> Cheers.
> 
> **********************************************************************
> I have shorewall up and running on my system. (GNU-Linux Mandrake 9)
> 
> When I tested my firewall at grc.com, Shields-Up informs me that ports
>  113 and 135 are closed and not ''stealthed''
> 
> When reading the faq on the Shorewall site I saw that shorewall rejects
> rather than denys connection requests on ''TCP ports 113, 135, 137
and
> 139 as well as UDP ports 137-139''.
> 
> The file /etc/shorewall/common.def advises me not to edit the file but
> rather to create a new one.
> 
> Can anyone give me an idea on how to do this so that the above ports
> deny request attempts.
> 
> I guess this must be a fairly common question on the list, but a search
> yielded nothing at the mailing list archive.
> 
> Thanks for any help.
> 
> Mark Cheney.
> *********************************************************************
> Reply from Vincent Bernat:
> 
> You mean "drop" ? Depending of your policy, I think an empty file
will
> just do the trick.
> *********************************************************************
> Reply from Tom Eastep:
> 
> a) create the new /etc/shorewall/common file.
> b) copy the relevant rules from common.def to common
> c) change the target in the rules from ''reject'' to DROP
> d) make the last line in the file ". /etc/shorewall/common.def"
> 
> Make a note to yourself to not come whining to the list when you
can''t
> connect to many FTP sites.
> **********************************************************************
> 
> So far I''ve had no connection troubles, and all ports appear to be
> ''stealthed''.
> 
> Good Luck.
> 
> Mark Cheney.



()  Join the ASCII ribbon campaign against HTML email 
/\ and Microsoft specific attachments. If I wanted to read HTML, 
    I would have visited your website! Support open standards.