Grant wrote: >>> On my router I have the following policy: >>> >>> loc net ACCEPT >>> loc $FW ACCEPT >>> loc all REJECT >>> $FW net ACCEPT >>> $FW loc REJECT >>> $FW all REJECT >>> net $FW DROP >>> net loc DROP >>> net all DROP >>> all all REJECT >>> >>> and the following rules: >>> >>> DNAT net loc:192.168.0.3 tcp 50000 >>> DNAT net loc:192.168.0.3 udp 50000 >>> ACCEPT $FW loc icmp >>> ACCEPT $FW net icmp >>> >>> And yet I'm able to ssh from a machine on the local network to the >>> router via the external IP address. Does the router still know that >>> I'm coming from the inside and thus allow it >> Of course -- would you really want to use a firewall that was so easily >> outwitted? > > Ok, sounds like no cause for alarm. > >>> Also a bittorrent client works on 192.168.0.3 even though I'm >>> forwarding a different port than the one the client is set to listen >>> on. How can that be? >>> >> While I don't use bittorrent, myself, IIRC the client will somewhat work >> with incoming connections blocked. > > But how can it possibly do that? >
Because it's primary connections are outgoing, not incoming. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
