Firewall Wizards mailing list archives
RE: RE: Help w/ Port 137 Traffic
From: "Stefan Norberg" <stefan () orbisec com>
Date: Sun, 13 Oct 2002 19:52:41 +0200
Thanks for all the replies. The change I believe I will make in my firewall rules is to explicitly block inbound 137-139 traffic. My default iptables policy is to deny, and these are not ports I have opened up, so....they should be being blocked, but an extra rule to catch this up front won't hurt.
I tend to build firewall rulebases that does the following (don't know if this is common practice/knowledge out there): 1) Accept rules for traffic to the firewall device itself go first (such as ssh, fw-gui). 2) Explicit drop for all other traffic to the firewall device. 3) General accept rules (ordered by system - high volume stuff first). 4) Silent drop of some stuff that just fills up the logs and add litte value, such as udp/137. Drop certain internal ip's that scans the internal network all the time. And so on. 5) Drop and log everything else. In general you don't want to use block/reject, since it sends out a TCP RST (for TCP) or ICMP port unreach for UDP. An example where you would you block/reject is to avoid timeouts for valid traffic such as identd.
I have to add one clarification to the scenario and apologize for not including this up front: could running Samba (as a master browser/file server - not domain controller) be the source of the problem? Are there some outbound ports I should be blocking when (I assume) Samba announces itself periodically as the master browser?
You should block ALL outbound (and inbound) traffic that isn't explicitly needed for your system to function. Stefan
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Mike McCandless Sent: Sunday, October 13, 2002 4:13 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] RE: Help w/ Port 137 Traffic Thanks for all the replies. The change I believe I will make in my firewall rules is to explicitly block inbound 137-139 traffic. My default iptables policy is to deny, and these are not ports I have opened up, so....they should be being blocked, but an extra rule to catch this up front won't hurt. I have to add one clarification to the scenario and apologize for not including this up front: could running Samba (as a master browser/file server - not domain controller) be the source of the problem? Are there some outbound ports I should be blocking when (I assume) Samba announces itself periodically as the master browser? -------------------------------------------------------- Mike McCandless michael () prismbiz com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Vincent Haverlant (Oct 15)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- <Possible follow-ups>
- RE: Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Frank Knobbe (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)
- Re: RE: Help w/ Port 137 Traffic Devdas Bhagat (Oct 14)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Luca Berra (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Bill Royds (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Richard Sharpe (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)