I made the following adjustments to /etc/shorewall/common.def (1.3.13 with all relevant patches). ############################################################################ # Shorewall 1.3 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include # the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ # Drop invalid state TCP packets # run_iptables -A common -m state -p tcp --state INVALID -j DROP ############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 137:139 -j DROP run_iptables -A common -p udp --dport 445 -j DROP run_iptables -A common -p tcp --dport 135 -j DROP ############################################################################ # UPnP # run_iptables -A common -p udp --dport 1900 -j DROP ############################################################################ # BROADCASTS # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don''t get delayed. # run_iptables -A common -p tcp --dport 113 -j DROP Using this file connection attempts to port 113/135 should be dropped. Checking the output op iptables -L common also tells me connection attemps should be dropped. However when I portscan the internal interface of our router/firewall nmap these ports are still listed as filtered. Is this correct?? Ad Koster lidad@zeelandnet.nl
--On Monday, February 24, 2003 08:12:23 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> I made the following adjustments to /etc/shorewall/common.def==========================================================> (1.3.13 with all relevant patches).> >############################################################################># Shorewall 1.3 -- /etc/shorewall/common.def ># ># This file defines the rules that are applied before a policy of ># DROP or REJECT is applied. In addition to the rules defined in this file, ># the firewall will also define a DROP rule for each subnet broadcast ># address defined in /etc/shorewall/interfaces (including "detect"). ># ># Do not modify this file======================= -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Monday, February 24, 2003 08:12:23 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> I made the following adjustments to /etc/shorewall/common.def (1.3.13 > with all relevant patches). > >############################################################################># Shorewall 1.3 -- /etc/shorewall/common.def ># ># This file defines the rules that are applied before a policy of ># DROP or REJECT is applied. In addition to the rules defined in this file, ># the firewall will also define a DROP rule for each subnet broadcast ># address defined in /etc/shorewall/interfaces (including "detect"). ># ># Do not modify this file -- if you wish to change these rules, create ># /etc/shorewall/common to replace it. It is suggested that you include ># the command ". /etc/shorewall/common.def" in your ># /etc/shorewall/common file so that you will continue to get the ># advantage of new releases of this file. ># > run_iptables -A common -p icmp -j icmpdef >############################################################################># Drop invalid state TCP packets ># > run_iptables -A common -m state -p tcp --state INVALID -j DROP >############################################################################># NETBIOS chatter ># > run_iptables -A common -p udp --dport 137:139 -j DROP > run_iptables -A common -p udp --dport 445 -j DROP > run_iptables -A common -p tcp --dport 135 -j DROP >############################################################################># UPnP ># > run_iptables -A common -p udp --dport 1900 -j DROP >############################################################################># BROADCASTS ># > run_iptables -A common -d 255.255.255.255 -j DROP > run_iptables -A common -d 224.0.0.0/4 -j DROP >############################################################################># AUTH -- Silently reject it so that connections don''t get delayed. ># > run_iptables -A common -p tcp --dport 113 -j DROP > > Using this file connection attempts to port 113/135 should be dropped. > Checking the output op iptables -L common also tells me connection > attemps should be dropped. > > However when I portscan the internal interface of our router/firewall > nmap these ports are still listed as filtered. > > Is this correct??Aside the fact that you are modifying a file that is not supposed to be modified (as I pointed out in my previous post): What is the loc->fw policy? Do you have any loc->fw or loc->all rules for TCP ports 135 and 113? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net