Shorewall oddities

[lots]

I'm using Nmap on a windows machine (yeah I know , but its the only machine type I have available outside my shorewall router). I'm testing a new machine's firewall that I plan to replace my current firewall/router with. Upon using nmap's connect() scan, I discovered a bunch of random ports that are listed by nmap as open. Ports 22, 25, 113, nntp, imap, pop3, imap2. There may have been a few others, but I dont remember off the top of my head.

I thought this was odd, because during the test, the only port that should have reported back was 22, due to ssh. All the others should be filtered. I dont even have services running on these ports. So I figured I'd specifically add drop rules to the shorewall rules file, for these ports. Nothing's changed. Is this windows version of NMap crazy? or am I missing something. Shorewall is the only thing modifying the iptables rules, as far as I know .

[albright]

Sorry if this it too obvious - but you're not testing
the network from *inside* the network are you?

[lots]

currently I've got it all set up in the following way:

[albright]

as a quick and dirty independent check, what does
shields up (https://www.grc.com/x/ne.dll?bh0bkyd2)
report?

[lots]

In order for me to check against shields up, i'd have to put my router out onto the internet. Currently the way its hooked up, it is still behind another router.

Maybe my attempt at a diagram was not clear

Basically I have a router running on my network currently. This router feeds directly to a switch which then feeds to the other computers on the network, _and_ my new router that I am setting up. My new router treats the peers on the "active" network as if they're from the internet, or supposidly it does . It then serves this connection to a laptop I have hooked up to it for testing. I guess I can call this a "testing" network.

So ideally, the new router should be dropping unwanted connection attempts and nmap scans from other computers on the "active" network. Simply checking GRC will have GRC hit my old router, which isn't very effective.

I suppose I could temporarily hook my new router to the net to see what GRC says. I could also boot my laptop into knoppix and hook it up to the active network and see if linux based nmap reports anything different from the windows version. I'll get back to you on the GRC test when I get back home and can physically swap around the cables.

On a good note, it does appear to be dropping pings ... but udp port scans and some tcp ports still report active.. even though they shouldn't.

Are there any special rules I need to add to shorewall to have it drop everything from the net by default? I followed the tutorials on the shorewall site, but they included steps like this, and they rules/policies files are set up according to it.

[yabbadabbadont]

You probably should post the non-comment portions of the interfaces, policy, rules, and zones files.
_________________

[lots]

Here they are:

interfaces (note eth0 is internal):