> >>> On my router I have the following policy: > >>> > >>> loc net ACCEPT > >>> loc $FW ACCEPT > >>> loc all REJECT > >>> $FW net ACCEPT > >>> $FW loc REJECT > >>> $FW all REJECT > >>> net $FW DROP > >>> net loc DROP > >>> net all DROP > >>> all all REJECT > >>> > >>> and the following rules: > >>> > >>> DNAT net loc:192.168.0.3 tcp 50000 > >>> DNAT net loc:192.168.0.3 udp 50000 > >>> ACCEPT $FW loc icmp > >>> ACCEPT $FW net icmp > >>> > >>> And yet I'm able to ssh from a machine on the local network to the > >>> router via the external IP address. Does the router still know that > >>> I'm coming from the inside and thus allow it > >> Of course -- would you really want to use a firewall that was so easily > >> outwitted? > > > > Ok, sounds like no cause for alarm. > > > >>> Also a bittorrent client works on 192.168.0.3 even though I'm > >>> forwarding a different port than the one the client is set to listen > >>> on. How can that be? > >>> > >> While I don't use bittorrent, myself, IIRC the client will somewhat work > >> with incoming connections blocked. > > > > But how can it possibly do that? > > > > Because it's primary connections are outgoing, not incoming. > > > -Tom
But how could anyone make a request of the machine if there are no ports forwarded to it? - Grant ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
