Firewall Wizards mailing list archives
Re: RE: Help w/ Port 137 Traffic
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 14 Oct 2002 14:13:24 -0400 (EDT)
On Mon, 14 Oct 2002, Luca Berra wrote:
On Sun, Oct 13, 2002 at 02:40:59PM -0400, R. DuFresne wrote:depending upon the kinda of windows OS' behind your firewall, you might wish to add 135-139, tc and udp, as well as 445, and 1433,1434. Of courseif you really want to block outgoing traffic from workstation put a proxy in the middle....I have to add one clarification to the scenario and apologize for not including this up front: could running Samba (as a master browser/file server - not domain controller) be the source of the problem? Are there some outbound ports I should be blocking when (I assume) Samba announces itself periodically as the master browser?samba announces itself periodically on the broadcast address of all connected interfaces and to addresses specified with the 'remote announce' smb.conf parameter. I don't believe samba uses netbios-ns lookups to resolve remote hosts connecting, but anyway noone should be connecting to your samba server from outside. as a last note i am also getting many probes on port 137 and 139, but they seem unrelated, i might try answering to netbios-ns lookups and see what happens, if i find a smaller beast than samba to use, that is.
I'm seeing broken systems like this one that has been pounding my systems for months now: Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62 209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109 Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62 209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109 Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62 209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109 Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62 209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109 One might beable to build the toy you are thinking of luca with libnet and or netcat. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: RE: Help w/ Port 137 Traffic, (continued)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)
- Re: RE: Help w/ Port 137 Traffic Devdas Bhagat (Oct 14)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Luca Berra (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Bill Royds (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Richard Sharpe (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Mikael Olsson (Oct 14)
- Re: RE: Help w/ Port 137 Traffic Richard Sharpe (Oct 14)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)