Hi Tom, The problem isn't so much that I have made a connection from loc->net on UDP port 500 (and 10000), but the other way around, net->loc. If I understanding your firewall correctly, the rules in the rules config file are exceptions to a net->loc DROP policy. For example, as an exception, I have opened port 22 to allow incoming ssh connection. However, I have not opened UDP port 500 (and 10000) for returning VPN traffic. In theory, then, I shouldn't be able to connect to my VPN at all, because a response from my VPN server would be blocked by the firewall and never reach my VPN client. The mystery then is why am I able to connect to my VPN server when I have not opened UDP port 500 for incoming traffic. Why hasn't my firewall blocked this traffic, when, by default(and without a rule exception), it should be blocked?
Let me know if I'm making sense, Chad > > Chad -- I've been following this thread and I must > confess that I don't > > understand what problem you are reporting. When > you "made some VPN > > attempts", what was the SOURCE IP and what was the > DESTINATION IP? (I > > assume that the protocol was UDP and the DPT was > 500?). > > The reason that I ask is that the only UDP port 500 > connection that is > active in the "AfterVPN" dump originated from inside > your firewall > (192.168.2.254) with a destination on the net > (204.26.5.165). Since you > ACCEPT loc->net traffic by policy, I hope it isn't > surprising that such > a connection would be accepted. > > -Tom __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
