Grant wrote: >On my router I have the following policy: > >loc net ACCEPT >loc $FW ACCEPT >loc all REJECT >$FW net ACCEPT >$FW loc REJECT >$FW all REJECT >net $FW DROP >net loc DROP >net all DROP >all all REJECT > >and the following rules: > >DNAT net loc:192.168.0.3 tcp 50000 >DNAT net loc:192.168.0.3 udp 50000 >ACCEPT $FW loc icmp >ACCEPT $FW net icmp > >And yet I'm able to ssh from a machine on the local network to the >router via the external IP address. Does the router still know that >I'm coming from the inside and thus allow it or is something wrong?
Yes it knows, and it allows it because you've told it to : loc $FW ACCEPT >Also a bittorrent client works on 192.168.0.3 even though I'm >forwarding a different port than the one the client is set to listen >on. How can that be? Define 'works' ? It won't work fully, but it will work as long as enough peers are working correctly. You have this policy rule : loc net ACCEPT That allows the client to make outbound connections. It will be able to contact the tracker and find a list of potential peers - it can then make outbound connections to those peers AS LONG AS THEY ARE FULLY WORKING. What will fail is inbound connections, so other peers cannot connect to you and that means you will most likely NOT be able to seed once you have completed your download - tut tut. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
