admin@kiteflyer.com
2003-Jan-08 07:46 UTC
[Shorewall-users] Shorewall and NIS, Why Reject...
The reason these are rejected and not dropped are that many programs use Ident as a way to validate the client. If the host gets no reply (even a reject) it will hang waiting. This is the reason you see people complain about slow POP access or FTP lag., etc. Oh yea, don''t try and go near IRC without Ident.... Wayne> Hi John, > > Recently I requested much the same info. > > Perhaps this will help. > > Cheers. > > ********************************************************************** > I have shorewall up and running on my system. (GNU-Linux Mandrake 9) > > When I tested my firewall at grc.com, Shields-Up informs me that ports > 113 and 135 are closed and not ''stealthed'' > > When reading the faq on the Shorewall site I saw that shorewall rejects > rather than denys connection requests on ''TCP ports 113, 135, 137 and > 139 as well as UDP ports 137-139''. > > The file /etc/shorewall/common.def advises me not to edit the file but > rather to create a new one. > > Can anyone give me an idea on how to do this so that the above ports > deny request attempts. > > I guess this must be a fairly common question on the list, but a search > yielded nothing at the mailing list archive. > > Thanks for any help. > > Mark Cheney. > ********************************************************************* > Reply from Vincent Bernat: > > You mean "drop" ? Depending of your policy, I think an empty file will > just do the trick. > ********************************************************************* > Reply from Tom Eastep: > > a) create the new /etc/shorewall/common file. > b) copy the relevant rules from common.def to common > c) change the target in the rules from ''reject'' to DROP > d) make the last line in the file ". /etc/shorewall/common.def" > > Make a note to yourself to not come whining to the list when you can''t > connect to many FTP sites. > ********************************************************************** > > So far I''ve had no connection troubles, and all ports appear to be > ''stealthed''. > > Good Luck. > > Mark Cheney.() Join the ASCII ribbon campaign against HTML email /\ and Microsoft specific attachments. If I wanted to read HTML, I would have visited your website! Support open standards.