[Openswan Users] Blocking udp 1701 from outside on 2.6.26 (netkey)

Willie Gillespie wgillespie+openswan at es2eng.com
Mon Oct 11 20:48:51 EDT 2010

Yes, that's probably the expected behavior.  Since UDP doesn't create a 
connection, a non-response could be open or filtered as far as nmap is 
concerned.  It depends on the application.  You could change the second 
iptables rule to a REJECT and nmap should return "closed" to show that 
the rule is indeed being followed.

Gottfried Haider wrote:
> Hi Willie,
> thanks for your fast reply.
> I tried it out
> gohai at escher:/$ sudo iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            policy
> match dir in pol ipsec udp dpt:l2f
> DROP       udp  --  anywhere             anywhere            udp dpt:l2f
> but when i run nmap from a remote host (not connected via the tunnel)
> it still shows me
> 1701/udp open|filtered L2TP
> - is this the expected behavior?
> Gottfried

More information about the Users mailing list