Date: Wed, 03 Nov 1999 09:32:57 -0800 From: "Ronald F. Guilmette" <rfg@monkeys.com> To: Jerry Bell <jerry@wally.bellnetworks.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw and firewall questions - getting some strange packets Message-ID: <10945.941650377@segfault.monkeys.com> In-Reply-To: Your message of Wed, 03 Nov 1999 07:34:00 -0500. <Pine.BSF.4.10.9911030729260.76552-100000@wally.bellnetworks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.10.9911030729260.76552-100000@wally.bellnetworks.net>, y ou wrote: >For the most part, you are right. This is MS induced. Ports 137-139 are >the netbios RPC ports (TCP and UDP). Anyone going to a web site of your >running IE will most likely try to also make a RPC connection. Stupid non-FreeBSD-related question: Why? What does IE hope to obtain from my port 137 that it can't get from my port 80? >You can safely discard them without logging. I shall do so forthwith. >I would log failed attempts at other >ports, to show you when you are being scanned/attacked. I assuure you that I _am_ doing THAT. >Fragments are somewhat normal, but since there are some attackes based on >them, it may be best to block them and see if anyone complains. (Also, >look at what ports are being dropped, and from who they are originating.) I _did_ do that, and that is a part of what made me ask the question. Some of the TCP packet fragments seemed to be coming from an unimpeachable source... a machine belonging to country NIC of India. As regards to the port numbers... well.. this seems to be a small flaw in the logging aspect of the FreeBSD kernel firewall code... When reporting rejected packet fragments, it ONLY logs the sources and destination IP addresses, and doesn't bother to mention either the source port or the destination port. (I'll file a PR on that right now.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10945.941650377>