Grant wrote: > On my router I have the following policy: > > loc net ACCEPT > loc $FW ACCEPT > loc all REJECT > $FW net ACCEPT > $FW loc REJECT > $FW all REJECT > net $FW DROP > net loc DROP > net all DROP > all all REJECT > > and the following rules: > > DNAT net loc:192.168.0.3 tcp 50000 > DNAT net loc:192.168.0.3 udp 50000 > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > > And yet I'm able to ssh from a machine on the local network to the > router via the external IP address. Does the router still know that > I'm coming from the inside and thus allow it
Of course -- would you really want to use a firewall that was so easily outwitted? > > Also a bittorrent client works on 192.168.0.3 even though I'm > forwarding a different port than the one the client is set to listen > on. How can that be? > While I don't use bittorrent, myself, IIRC the client will somewhat work with incoming connections blocked. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
