>quoting a services file like it's an RFC is not a great way to write >firewall rules. just because a port has been reserved for a service, >doesn't mean it's actually used. the obvious example here would be So it looks like Win98 does not use 135. If you are not happy with the results, use -m layer7 and go from there. _That's_ safe, across udp, tcp and the whole port range. :) >that being said, i've also noticed that NAT-ing a windows file server >doesn't always work--depending on your network topology. No, I think because it uses broadcasts which ... are normally not propagated across networks unless you utilize userspace proxies. I have recently turned a friend's network(s) into a bridged one to overcome this problem. (Or to evade, depending on the viewpoint.)
