From owner-freebsd-questions Wed Nov 3 13:30:27 1999 Delivered-To: freebsd-questions@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 32CC0150EE for ; Wed, 3 Nov 1999 13:29:52 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr364-a118.otenet.gr [195.167.112.214]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id XAA08127 for ; Wed, 3 Nov 1999 23:28:40 +0200 (EET) Received: (qmail 1273 invoked by uid 1001); 3 Nov 1999 19:18:27 -0000 To: freebsd-questions@freebsd.org Subject: Re: ipfw and firewall questions - getting some strange packets References: <10193.941622098@segfault.monkeys.com> From: Giorgos Keramidas Date: 03 Nov 1999 21:18:26 +0200 In-Reply-To: "Ronald F. Guilmette"'s message of "Wed, 03 Nov 1999 01:41:38 -0800" Message-ID: <861za78jul.fsf@localhost.hell.gr> Lines: 65 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Ronald F. Guilmette" writes: > I recently configured and installed a fresh FreeBSD 3.3 kernel (with > the firewalling stuff enabled) on one system I own, and I've been > slowly tuning my firewall rule set for this box so that I'm won't > be getting lots and lots of log messages about unimportant and/or > unsuspicious events. > > I started from the "simple" firewall rule set in the /etc/rc.firewall > file, but I've made a number of adjustments for stuff that I know > is coming from trusted outside hosts. > > Still, I'm getting a fair number of log messages about denied packets... > perhaps 100 a day. > > Most of these seem to fall into two categories: > > 1) TCP Packets that are marked as `fragments'. There are many little ways in which fragments can get "evil". For more details, take a look at Kent, C. A. & Mogul, J. C. "Fragmentation Considered Harmful." Computer Communication Review, vol. 17, no. 5, pp. 390-401 (Apr. 1987) It is safe enough to drop all fragments for some time, and see if anyone complains. > 2) UDP Packets coming from all sorts of different hosts and that are > directed to my port 137. Ports 137, 138 & 139, are used by Microsoft's NetBios services. You are probably being scanned by someone looking for hosts that are running Windows, in their effort to find some easily exploitable Win' host. > Should I be concerned about either of these categories of strange > stuff? Or should I be allowing them thrw the firewall? Or should I > perhaps just be silently discarding them without making syslog entries > for them? You are certainly better off just discarding them, since NetBios is used in Windows networks for sharing filesystems and printers, and you're not really interested in exporting your filesystems (or printers for that matter to someone "outside" your firewall). Logging is not necessary, unless you are interested in knowing that you're being scanned. Of course, after a while, it can get boring to see all those denied packets on your console; so it's your choise whether you will log these denied packets. > What exactly is the `netbios-ns' service (UDP & TCP port 137), and why are > so many people trying to query mine, even though I don't have one, and > have never had one (at least as far as I know)? Are these queries signs > of nefarious and/or unsavory activities on the part of the senders? > Or is this just one more symptom of Microsoft-induced brain damage? Depends on your definition of 'brain damage.' Someone who is using his dialup connection to scan hosts just for fun is certainly not very balanced mental-wise, probably just too bored, probably without a life, but brain damaged... oh, I don't know. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message