From owner-freebsd-questions  Wed Nov  3  9:33:39 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from monkeys.com (i180.value.net [206.14.136.180])
	by hub.freebsd.org (Postfix) with ESMTP id 6AA9015573
	for <freebsd-questions@FreeBSD.ORG>; Wed,  3 Nov 1999 09:33:34 -0800 (PST)
	(envelope-from rfg@monkeys.com)
Received: from segfault.monkeys.com (localhost [127.0.0.1])
	by monkeys.com (8.9.3/8.9.3) with ESMTP id JAA10947;
	Wed, 3 Nov 1999 09:32:58 -0800 (PST)
To: Jerry Bell <jerry@wally.bellnetworks.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw and firewall questions - getting some strange packets 
In-reply-to: Your message of Wed, 03 Nov 1999 07:34:00 -0500.
             <Pine.BSF.4.10.9911030729260.76552-100000@wally.bellnetworks.net> 
Date: Wed, 03 Nov 1999 09:32:57 -0800
Message-ID: <10945.941650377@segfault.monkeys.com>
From: "Ronald F. Guilmette" <rfg@monkeys.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


In message <Pine.BSF.4.10.9911030729260.76552-100000@wally.bellnetworks.net>, y
ou wrote:

>For the most part, you are right.  This is MS induced.  Ports 137-139 are
>the netbios RPC ports (TCP and UDP).  Anyone going to a web site of your
>running IE will most likely try to also make a RPC connection.

Stupid non-FreeBSD-related question: Why?

What does IE hope to obtain from my port 137 that it can't get from my port
80?

>You can safely discard them without logging.

I shall do so forthwith.

>I would log failed attempts at other
>ports, to show you when you are being scanned/attacked.

I assuure you that I _am_ doing THAT.

>Fragments are somewhat normal, but since there are some attackes based on
>them, it may be best to block them and see if anyone complains.  (Also,
>look at what ports are being dropped, and from who they are originating.)

I _did_ do that, and that is a part of what made me ask the question.

Some of the TCP packet fragments seemed to be coming from an unimpeachable
source... a machine belonging to country NIC of India.

As regards to the port numbers... well.. this seems to be a small flaw in
the logging aspect of the FreeBSD kernel firewall code... When reporting
rejected packet fragments, it ONLY logs the sources and destination IP
addresses, and doesn't bother to mention either the source port or the
destination port.  (I'll file a PR on that right now.)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message