Thanks, Tom, for taking the time to clear this up for me. I really appreciate the help.
Chad --- Tom Eastep <[EMAIL PROTECTED]> wrote: > C. Albers wrote: > > Hi Tom, > > > > The problem isn't so much that I have made a > > connection > > from loc->net on UDP port 500 (and 10000), but the > > other way around, net->loc. If I understanding > your > > firewall correctly, the rules in the rules config > file > > are exceptions to a net->loc DROP policy. For > > example, > > as an exception, I have opened port 22 to allow > > incoming ssh connection. However, I have not > opened > > UDP port 500 (and 10000) for returning VPN > traffic. > > In theory, then, I shouldn't be able to connect to > my > > VPN at all, because a response from my VPN server > > would be blocked by the firewall and never reach > my > > VPN client. > > > > The mystery then is why am I able to connect to my > VPN > > server when I have not opened UDP port 500 for > > incoming traffic. Why hasn't my firewall blocked > this > > traffic, when, by default(and without a rule > > exception), it should be blocked? > > > > Let me know if I'm making sense, > > You are misunderstanding the concept of a stateful > firewall. > > In a stateful firewall (like the one configured by > Shorewall), any packet that > is part of an ESTABLISHED connection is > automatically passed by the firewall. A > connection becomes ESTABLISHED when a response > packet is received (reaching > ESTABLISHED state has nothing to do with the > underlying protocol's idea of a > connection). > > Your rules and policies govern connections, not > packets. So when you say that > you have a loc->net ACCEPT policy that means that > you are allowing connections > to be established from the loc->net zones. And > responses to ACCEPTed connection > requests are always accepted as are each successive > response packet. > > HTH, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get > the chance to share your > opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
