RE: RE: Help w/ Port 137 Traffic

["Stefan Norberg" <stefan () orbisec com>]

> Thanks for all the replies.  The change I believe I will make 
> in my firewall rules is to explicitly block inbound 137-139 
> traffic.  My default iptables policy is to deny, and these 
> are not ports I have opened up, so....they should be being 
> blocked, but an extra rule to catch this up front won't hurt.

I tend to build firewall rulebases that does the following (don't know
if this is common practice/knowledge out there):

1) Accept rules for traffic to the firewall device itself go first (such
as ssh, fw-gui).
2) Explicit drop for all other traffic to the firewall device.
3) General accept rules (ordered by system - high volume stuff first).
4) Silent drop of some stuff that just fills up the logs and add litte
value, such as udp/137. Drop certain internal ip's that scans the
internal network all the time. And so on.
5) Drop and log everything else.

In general you don't want to use block/reject, since it sends out a TCP
RST (for TCP) or ICMP port unreach for UDP. An example where you would
you block/reject is to avoid timeouts for valid traffic such as identd.

> I have to add one clarification to the scenario and apologize 
> for not including this up front:  could running Samba (as a 
> master browser/file server - not domain controller) be the 
> source of the problem?  Are there some outbound ports I 
> should be blocking when (I assume) Samba announces itself 
> periodically as the master browser?

You should block ALL outbound (and inbound) traffic that isn't
explicitly needed for your system to function.

Stefan

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Mike McCandless
> Sent: Sunday, October 13, 2002 4:13 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] RE: Help w/ Port 137 Traffic
>
>
> Thanks for all the replies.  The change I believe I will make 
> in my firewall rules is to explicitly block inbound 137-139 
> traffic.  My default iptables policy is to deny, and these 
> are not ports I have opened up, so....they should be being 
> blocked, but an extra rule to catch this up front won't hurt.
>
> I have to add one clarification to the scenario and apologize 
> for not including this up front:  could running Samba (as a 
> master browser/file server - not domain controller) be the 
> source of the problem?  Are there some outbound ports I 
> should be blocking when (I assume) Samba announces itself 
> periodically as the master browser?
>
>
> --------------------------------------------------------
> Mike McCandless
> michael () prismbiz com
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards