Hi Ray
Thanks for your answer. What i was wondering about why a
masqued connection showed up but thinking about it later i came
to the following conclusion.
what i messed up was that:
the masqueraded connection that shows up tell us nothing about if
this connection is really established. So the connection stays in a
"waiting for connection State" and is visible. If the connection fails
(due to the rule on the outer interface ) it will timeout and doesn't
show up anymore.
> Eric -
>
> I'm not used to reading Weblet output, but if I read this right, it
> may look odd but actually is all 3 chains doing what they are supposed to.
>
> Step 1 -- input chain. The rule you mark there is:
>
> > 0 0 REJECT udp ------ ppp0 0/0 0/0 * -> 137
>
> Well, this will REJECT off-LAN replies that come on interface ppp0, but it
> won't affect packets that originate on the internal interface (eth0, I
> suppose). AS you say later ...
>
right
> >I added a rule on the internal interface blocking port 137 with
> >logging and got several hunderd hits a day.
>
> .. and prior to your doing this, they would encounter (eventually) an ACCEPT
> rule or policy. So that gets the packets past the input chain.
>
right again
> Step 2 -- forward chain. The relevant rule there is
>
> >25576 1765K MASQ all ------ ppp0 192.168.1.0/24 0/0 n/a
>
> and that causes the packets from your Win98 host's port 137 to be MASQ'd, as
> you report.
>
yes, i just didn't realised that they were showed. but they exists
untill here ;)
> Step 3 -- output chain. This catches the MASQ'd packets based on their
> destination.
>
> > 12 936 REJECT udp ------ ppp0 0/0 0/0 * -> 137
>
right again
> So everything works as it should.
>
> (It also illustrates why I normally write firewall rulesets in which all the
> "protective" portions are in the input chain, but that's just me and my
> preferences.)
Just realised that the box has to be protected to the "safe" side
also ; )
>
> At 10:43 PM 3/2/01 +0100, Eric Wolzak wrote:
> >Hello all
> >
> >I posted this question on the lrp list but no one did reply :(
> >
> >I do think that it is important though.
> >
> >I have a eigerstein router / variant kenneth hadley -dsl dynamic
> >address.
> >
> >On the router i found this masqueraded connection caused by a
> >windows 95 machine 192.168.1.2 obvious doing "windows Stuff ;) ".
> >
> >udp 1:26.02 192.168.1.2 50.171.209.212 137 -> 137 (62523)
> >
Thanks again and have a nice weekend
eric Wolzak
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
