Tom Eastep wrote: > C. Albers wrote: >> Hi Tom, >> >> The problem isn't so much that I have made a >> connection >> from loc->net on UDP port 500 (and 10000), but the >> other way around, net->loc. If I understanding your >> firewall correctly, the rules in the rules config file >> are exceptions to a net->loc DROP policy. For >> example, >> as an exception, I have opened port 22 to allow >> incoming ssh connection. However, I have not opened >> UDP port 500 (and 10000) for returning VPN traffic. >> In theory, then, I shouldn't be able to connect to my >> VPN at all, because a response from my VPN server >> would be blocked by the firewall and never reach my >> VPN client. >> >> The mystery then is why am I able to connect to my VPN >> server when I have not opened UDP port 500 for >> incoming traffic. Why hasn't my firewall blocked this >> traffic, when, by default(and without a rule >> exception), it should be blocked? >> >> Let me know if I'm making sense, > > You are misunderstanding the concept of a stateful firewall. > > In a stateful firewall (like the one configured by Shorewall), any packet that > is part of an ESTABLISHED connection is automatically passed by the firewall. > A > connection becomes ESTABLISHED when a response packet is received (reaching > ESTABLISHED state has nothing to do with the underlying protocol's idea of a > connection).
BTW -- I'm was not yelling "established" in the above text -- it's capitalized in the iptables syntax and there is an ESTABLISHED section in the Shorewall rules file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
