Shorewall users - Dec 2005 - why is upnp/udp in state open|filtered?

Hello list,

i have justed scanned my routers udp ports from within my lan

client nmap # nmap -sU -sV -n -p 1-65535 router

Starting nmap 3.93 at 2005-11-30 14:21 CET
Interesting ports on 192.168.75.1:
(The 65533 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE VERSION
123/udp  open          ntp?
1900/udp open|filtered UPnP

MAC Address: XX:XX:XX:XX:XX:XX (3com)
Nmap finished: 1 IP address (1 host up) scanned in 65039.275 seconds

I don''t unterstand why port 1900/udp is in state open|filtered. 

"netstat -aunlp" doesn''t show up any process listing on
1900/udp nor
does "lsof -i". there is a ntpd running thats why port 123/udp is
open.
If I explecitly reject port 1900 udp its in state closed (!).

My policy looks like this.

user@router ~ $ sudo grep -v ''#'' /etc/shorewall/policy
lan             inet            ACCEPT
lan             fw              REJECT          info
inet            all             DROP            info
all             all             REJECT          info 

can someone enlight this to me? I havent found anything within the
documentation or the faq. Thx.

-- 
/sp4rc



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

On Thursday 01 December 2005 05:01, sp4rc wrote:
>
> can someone enlight this to me? I havent found anything within the
> documentation or the faq. Thx.
You certainly have a lot more free time than the rest of us do if you are 
scanning your firewall from the inside and asking on the list about what you 
see.

I suggest that you search the Shorewall site for "common action" --
use the
Google search form at the top of the home page.

Once you understand what common actions are, then look 
at /usr/share/shorwall/action.Reject (which is the common action for the 
REJECT policy -- see /usr/share/shorewall/actions.std). Your lan->fw policy 
is REJECT according to your post so the Reject action is invoked before 
packets from lan->fw are rejected.

In /usr/share/shorwall/action.Reject you will find the following line:

DropUPnP

If you look at /usr/share/shorwall/action.DropUPnP, you will see that DropUPnP 
ignores UDP port 1900.

Now read Shorewall FAQ 4a to learn why nmap whines about firewalls that drop 
UDP packets rather than rejecting them with an ICMP "Port Unreachable"
response. I drop UPnP packets rather than rejecting them because Windoze 
systems are so damned persistant at sending them; dropping them slows down 
the flood...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key