similar to: Fwd: Re: strange UDP scan results on a Shorewall firewall

Hi, When I run an nmap with UDP port scan option against one of the machines behind the shorewall, it shows tons of open ports on that server. I am sure I just missed something in the configuration. Can anyone suggest. Val _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com

----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Gary Gale" <gary@vicchi.org> Sent: Monday, March 11, 2002 11:48 AM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash? > Gary, > > ----- Original Message ----- > From: "Gary Gale" <gary@vicchi.org> > To: "Shorewall Users List"

This is becoming a FAQ and should probably be added to the docs. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message ---------- Date: Sun, 28 Apr 2002 16:09:01 -0700 (Pacific Daylight Time) From: Tom Eastep <teastep@shorewall.net> To: Carl Spelkens

I'm using Asterisk to registry several DDI's to a sip proxy (pipecall.com). Everything works fine apart from several times a day my firewall (zywall70) reports a UDP port scan attack from the pipecall sip proxy. I can't seem to work out why this should be. All I could think was that the sip registry was expiring and causing some strange probing from the proxy, is it possible to alter

I am running a firewall/gateway box. 2 nics, eth0 on a dsl dhcp eth1 on 192.168.1.1 I amtrying to setup a backup MX server so i need to open up 25,110 ( pop imap smtp) /etc/shorewall/rules # Let the friggin smtp postfix work # ACCEPT net fw tcp 110 ACCEPT fw net tcp 110 ACCEPT net fw

Shorewall 1.3.9 is available. In this release: 1. DNS Names are now allowed in Shorewall config files (I still recommend against using them however). 2. The connection SOURCE may now be qualified by both interface and IP address in a Shorewall rule. 3. Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. 4. The

Greetings, I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11 server is also running iptables. In our log.nmbd file we have noticed the following: [2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790) Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation

I have purchased a license for Vexira MailArmor (an antivirus product) and the good news is that it is installed and working at shorewall.net. The bad news is that I have yet to get Vexira running together with SpamAssassin :-( As things currently stand, list posts will be protected from viruses but may contain Spam. I''ll continue to work to correct this situation. -Tom -- Tom Eastep

Let me know if there are any problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Hi, this puzzles me: On one of our developer workstations, all ports with the exception of SSH are closed: $ firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eno1 sources: services: ssh dhcpv6-client ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: $ but still port

The ''firewall'' and ''functions'' file in CVS together produce a 30%+ speedup of ''shorewall restart'' on my firewall when compared to 1.3.11a. Please test with these files -- I don''t anticipate making any more performance changes for 1.3.12 and I want to be sure that I didn''t break anything. -Tom -- Tom Eastep \ Shorewall

The 1.2 firewall contains messy logic to support the old sample configurations in that any rule that contains "none" in any of its columns is ignored. I''m considering removing that messiness in 1.3 and seek the opinion of the list. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

I have implemented the ability to specify ''all'' in the SOURCE and DESTINATION columns of the rules file and I''m not sure I like the result. The code is in CVS if any of you are interested in giving it a try. If you do try it, please let me know what you think. If you specify ''all'' in those columns it must not be qualified (may not be followed by

Rafa³ Dutko has just discovered a potentially serious bug in version 1.3.0 and 1.3.1. In both versions, where an interface option appears on multiple interfaces, the option may only be applied to the first interface on which it appears. A corrected firewall script for 1.3.1 is available at: http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall and

Seems like this in 83986 [1] needs a fix in Lapack.c: if (dladdr((void *) F77_NAME(ilaver), &dl_info)) { char buf[PATH_MAX+1]; char *res = realpath(dl_info.dli_fname, buf); if (res) { SEXP nfo = R_NilValue; if (strstr(res, "flexiblas")) nfo = R_flexiblas_info(); if

In this release: 1. The ''try'' command now accepts an optional timeout. If the timeout is given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where the new configuration starts but prevents

There is now a link from the Shorewall home page to the CVS repository. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.2.4 will have the following changes: a) ''#'' comments now allowed at end-of-line in all config files. b) Firewall zone may be renamed c) Protection against concurrent state-changing operations (start, stop, restart, refresh, clear) d) ''shorewall start'' no longer fails if ''detect'' is specified for an interface with netmask

Apt-get sources are listed at: http://wecurity.dsi.unimi.it/~lorenzo/debian.html -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Shorewall 1.3.4 is available: 1. A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/ shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped. 2. An /etc/shorewall/stopped