From owner-freebsd-questions Wed Nov 3 1:41:47 1999 Delivered-To: freebsd-questions@freebsd.org Received: from monkeys.com (i180.value.net [206.14.136.180]) by hub.freebsd.org (Postfix) with ESMTP id 0527A14E66 for ; Wed, 3 Nov 1999 01:41:42 -0800 (PST) (envelope-from rfg@monkeys.com) Received: from segfault.monkeys.com (localhost [127.0.0.1]) by monkeys.com (8.9.3/8.9.3) with ESMTP id BAA10195 for ; Wed, 3 Nov 1999 01:41:38 -0800 (PST) To: freebsd-questions@freebsd.org Subject: ipfw and firewall questions - getting some strange packets Date: Wed, 03 Nov 1999 01:41:38 -0800 Message-ID: <10193.941622098@segfault.monkeys.com> From: "Ronald F. Guilmette" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I recently configured and installed a fresh FreeBSD 3.3 kernel (with the firewalling stuff enabled) on one system I own, and I've been slowly tuning my firewall rule set for this box so that I'm won't be getting lots and lots of log messages about unimportant and/or unsuspicious events. I started from the "simple" firewall rule set in the /etc/rc.firewall file, but I've made a number of adjustments for stuff that I know is coming from trusted outside hosts. Still, I'm getting a fair number of log messages about denied packets... perhaps 100 a day. Most of these seem to fall into two categories: 1) TCP Packets that are marked as `fragments'. 2) UDP Packets coming from all sorts of different hosts and that are directed to my port 137. Should I be concerned about either of these categories of strange stuff? Or should I be allowing them thrw the firewall? Or should I perhaps just be silently discarding them without making syslog entries for them? If these things are entirely benign, then I'll just open holes in the firewall for them. But I don't even understand what they are. Is it OK to allow TCP packet `fragments' thru? What exactly is the `netbios-ns' service (UDP & TCP port 137), and why are so many people trying to query mine, even though I don't have one, and have never had one (at least as far as I know)? Are these queries signs of nefarious and/or unsavory activities on the part of the senders? Or is this just one more symptom of Microsoft-induced brain damage? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message