C. Albers wrote: > Hi Tom, > > The problem isn't so much that I have made a > connection > from loc->net on UDP port 500 (and 10000), but the > other way around, net->loc. If I understanding your > firewall correctly, the rules in the rules config file > are exceptions to a net->loc DROP policy. For > example, > as an exception, I have opened port 22 to allow > incoming ssh connection. However, I have not opened > UDP port 500 (and 10000) for returning VPN traffic. > In theory, then, I shouldn't be able to connect to my > VPN at all, because a response from my VPN server > would be blocked by the firewall and never reach my > VPN client. > > The mystery then is why am I able to connect to my VPN > server when I have not opened UDP port 500 for > incoming traffic. Why hasn't my firewall blocked this > traffic, when, by default(and without a rule > exception), it should be blocked? > > Let me know if I'm making sense,
You are misunderstanding the concept of a stateful firewall. In a stateful firewall (like the one configured by Shorewall), any packet that is part of an ESTABLISHED connection is automatically passed by the firewall. A connection becomes ESTABLISHED when a response packet is received (reaching ESTABLISHED state has nothing to do with the underlying protocol's idea of a connection). Your rules and policies govern connections, not packets. So when you say that you have a loc->net ACCEPT policy that means that you are allowing connections to be established from the loc->net zones. And responses to ACCEPTed connection requests are always accepted as are each successive response packet. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
