Firewall Wizards mailing list archives

Re: RE: Help w/ Port 137 Traffic

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 14 Oct 2002 14:13:24 -0400 (EDT)

On Mon, 14 Oct 2002, Luca Berra wrote:

On Sun, Oct 13, 2002 at 02:40:59PM -0400, R. DuFresne wrote:



depending upon the kinda of windows OS' behind your firewall, you might
wish to add 135-139, tc and udp, as well as 445, and 1433,1434.  Of course


if you really want to block outgoing traffic from workstation put a
proxy in the middle....

I have to add one clarification to the scenario and apologize for not
including this up front:  could running Samba (as a master browser/file
server - not domain controller) be the source of the problem?  Are there
some outbound ports I should be blocking when (I assume) Samba announces
itself periodically as the master browser?

samba announces itself periodically on the broadcast address of all
connected interfaces and to addresses specified with the 'remote
announce' smb.conf parameter.
I don't believe samba uses netbios-ns lookups to resolve remote hosts
connecting, but anyway noone should be connecting to your samba server
from outside.

as a last note i am also getting many probes on port 137 and 139, but
they seem unrelated, i might try answering to netbios-ns lookups and see
what happens, if i find a smaller beast than samba to use, that is.


I'm seeing broken systems like this one that has been pounding my systems
for months now:

Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109
Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109
Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109
Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109

One might beable to build the toy you are thinking of luca with libnet and
or netcat.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: RE: Help w/ Port 137 Traffic, (continued)
- - - RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
  - Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)
    - Re: RE: Help w/ Port 137 Traffic Devdas Bhagat (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic Luca Berra (Oct 14)
    - RE: RE: Help w/ Port 137 Traffic Bill Royds (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic Richard Sharpe (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic Richard Sharpe (Oct 14)
    - Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Bill Royds (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Miha Vitorovic (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Miha Vitorovic (Oct 14)