RE: RE: Help w/ Port 137 Traffic

[Frank Knobbe <fknobbe () knobbeits com>]

On Sun, 2002-10-13 at 12:52, Stefan Norberg wrote:
> I tend to build firewall rulebases that does the following (don't know
> if this is common practice/knowledge out there):
>
> 1) Accept rules for traffic to the firewall device itself go first (such
> as ssh, fw-gui).
> 2) Explicit drop for all other traffic to the firewall device.
> 3) General accept rules (ordered by system - high volume stuff first).
> 4) Silent drop of some stuff that just fills up the logs and add litte
> value, such as udp/137. Drop certain internal ip's that scans the
> internal network all the time. And so on.
> 5) Drop and log everything else.
>
> In general you don't want to use block/reject, since it sends out a TCP
> RST (for TCP) or ICMP port unreach for UDP. An example where you would
> you block/reject is to avoid timeouts for valid traffic such as identd.


Stefan,

I build mine very similar to you, with one exception. Any traffic from
the inside net that the firewall is supposed to block, I'm REJECTing.
That way internal devices don't 'hang' waiting for a timeout. Everything
coming in from the outside still gets DROPPED though. But I do prefer to
send a RST to hosts on the inside.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part