Hi, I am using the lastest shorewall on Debian. Without shorewall installed my netbios/smb ports works fine, installing Shorewall I can''t have acces. By remotely scanning netbios/smb ports I have: 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds I have no rules setted for that ports, and policy allow any traffic. then in action.Drop file I added a comment #DropSMB and in action.Reject I add a comment: #RejectSMB I restarted shorewall, but I always have that ports filtred. Is it possible to have NO filtering on that ports ? Thanks
On Mon, 2004-05-31 at 06:30, Salvatore wrote:> Hi, > I am using the lastest shorewall on Debian. > > Without shorewall installed my netbios/smb ports works fine, installing Shorewall I can''t have acces. > By remotely scanning netbios/smb ports I have: > > 135/tcp filtered msrpc > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > > I have no rules setted for that ports, and policy allow any traffic. > > then in action.Drop file I added a comment #DropSMB > > and in action.Reject I add a comment: #RejectSMB > > I restarted shorewall, but I always have that ports filtred. > > Is it possible to have NO filtering on that ports ? >Try scanning after setting shorewall clear, if you get the same response then it is most likely your ISP or something else in the middle that is blocking it and not the shorewall configuration> Thanks/psh
On Mon, 2004-05-31 at 12:30 +0200, Salvatore wrote:> Hi, > I am using the lastest shorewall on Debian. > > Without shorewall installed my netbios/smb ports works fine, installing Shorewall I can''t have acces. > By remotely scanning netbios/smb ports I have: > > 135/tcp filtered msrpc > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > > I have no rules setted for that ports, and policy allow any traffic. > > then in action.Drop file I added a comment #DropSMB > > and in action.Reject I add a comment: #RejectSMB > > I restarted shorewall, but I always have that ports filtred. > > Is it possible to have NO filtering on that ports ? >You need to redefine the standard policies for Drop and/or Reject. See the info about extension scripts at http://shorewall.net/shorewall_extension_scripts.htm which talks about it in more detail. The short of is that the actions.std file (/usr/share/shorewall) defines the standard policy for Drop and Reject (Drop:DROP, Reject:REJECT). Those policies drop such log cluttering stuff as SMB, broadcasts, UPnP, etc. If you create your own policy (in /etc/shorewall/actions.MyDrop for example) and add MyDrop:DROP to your /etc/shorewall/actions, you can override this default behavior. What you REALLY want to do is to just add a: AllowSMB loc dmz type of rule to pass SMB traffic. This is a much better approach and protects you from yourself. -- David T Hollis <dhollis@davehollis.com>
Salvatore wrote:> > I have no rules setted for that ports, and policy allow any traffic. > > then in action.Drop file I added a comment #DropSMB > > and in action.Reject I add a comment: #RejectSMB > > I restarted shorewall, but I always have that ports filtred. > > Is it possible to have NO filtering on that ports ?If your policy is ACCEPT and you have no rules then Shorewall isn''t configuring anything for those ports. Again, you are completely misunderstanding what Drop and Reject do -- see my previous post. Possibly you should try to understand what your port scanner means when it says ''filtered'' -- I suspect that if you "shorewall clear" (which will result in absolutely no firewalling rules whatsoever), you will see the same result. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Salvatore wrote:> > Hi, > I am using the lastest shorewall on Debian. > > Without shorewall installed my netbios/smb ports works fine, installing Shorewall I can''t have acces. > By remotely scanning netbios/smb ports I have: > > 135/tcp filtered msrpc > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > > I have no rules setted for that ports, and policy allow any traffic. > > then in action.Drop file I added a comment #DropSMB > > and in action.Reject I add a comment: #RejectSMB > > I restarted shorewall, but I always have that ports filtred. > > Is it possible to have NO filtering on that ports ?Salvatore, As Philip stated earlier it is probable that your Internet provider is blocking those ports at their own border since they serve their real purpose on a LAN, not the Internet. VPN is the obvious solution, from the outside, so there is no sense, even for an Internet provider, to allow them through since many customers are home users who hardly even know how to block these specific ports. A fact being the real nasty worms that have been used to pass through those unprotected ports and devastated corporate networks this last year. A common port which is blocked by many ISP''s is the www port 80 since home users are usually not allowed to set up their own web servers, they have to sign up for a separate account which is reserved for commercial services, on a separate subnet within the domain. -- Patrick Benson Stockholm, Sweden