Date: Wed, 3 Nov 1999 07:34:00 -0500 (EST) From: Jerry Bell <jerry@wally.bellnetworks.net> To: "Ronald F. Guilmette" <rfg@monkeys.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw and firewall questions - getting some strange packets Message-ID: <Pine.BSF.4.10.9911030729260.76552-100000@wally.bellnetworks.net> In-Reply-To: <10193.941622098@segfault.monkeys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
For the most part, you are right. This is MS induced. Ports 137-139 are the netbios RPC ports (TCP and UDP). Anyone going to a web site of your running IE will most likely try to also make a RPC connection. You can safely discard them without logging. I would log failed attempts at other ports, to show you when you are being scanned/attacked. Fragments are somewhat normal, but since there are some attackes based on them, it may be best to block them and see if anyone complains. (Also, look at what ports are being dropped, and from who they are originating.) Jerry http://www.bellnetworks.net/cs On Wed, 3 Nov 1999, Ronald F. Guilmette wrote: > > I recently configured and installed a fresh FreeBSD 3.3 kernel (with > the firewalling stuff enabled) on one system I own, and I've been > slowly tuning my firewall rule set for this box so that I'm won't > be getting lots and lots of log messages about unimportant and/or > unsuspicious events. > > I started from the "simple" firewall rule set in the /etc/rc.firewall > file, but I've made a number of adjustments for stuff that I know > is coming from trusted outside hosts. > > Still, I'm getting a fair number of log messages about denied packets... > perhaps 100 a day. > > Most of these seem to fall into two categories: > > 1) TCP Packets that are marked as `fragments'. > > 2) UDP Packets coming from all sorts of different hosts and that are > directed to my port 137. > > Should I be concerned about either of these categories of strange stuff? > Or should I be allowing them thrw the firewall? Or should I perhaps just > be silently discarding them without making syslog entries for them? > > If these things are entirely benign, then I'll just open holes in the > firewall for them. But I don't even understand what they are. > > Is it OK to allow TCP packet `fragments' thru? > > What exactly is the `netbios-ns' service (UDP & TCP port 137), and why are > so many people trying to query mine, even though I don't have one, and > have never had one (at least as far as I know)? Are these queries signs > of nefarious and/or unsavory activities on the part of the senders? Or > is this just one more symptom of Microsoft-induced brain damage? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911030729260.76552-100000>