RE: [e-smith-devinfo] NetBios / Firewall Issues (RC2)

Thu, 26 Apr 2001 03:38:57 -0700 

Good Deal.  <Paranoid mode off>  I was wondering why I could not traceroute
back to that machine.  A private network would explain it.  I guess they
could have rewrote the packet.  ???

Out of curiosity... Why does xinetd have to restart for a request?

-----Original Message-----
From: Gordon Rowell [mailto:[EMAIL PROTECTED]]
Sent: Sunday, February 04, 2001 10:32 AM
To: Daniel C. Slagle
Cc: [EMAIL PROTECTED]
Subject: Re: [e-smith-devinfo] NetBios / Firewall Issues (RC2)


On Sun, Feb 04, 2001 at 07:32:41AM -0500, "Daniel C. Slagle"
<[EMAIL PROTECTED]> wrote:
> I have not changed anything in the smb.conf and have made sure that 'bind
> interfaces only' is set to 'yes'.  (I figured it was)  The "filewall" is
in
> it default setup also.

All of the logs below look good to me - the packet filter is blocking
things you don't want :-)

> Snippets from log
> --
> Feb  4 06:44:00 pluto kernel: Packet log: denylog DENY eth1 PROTO=17
> 63.121.32.216:137 63.237.78.36:137 L=78 S=0x00 I=6308 F=0x0000 T=114 (#1)
> --
> Feb  3 18:21:11 danslagle kernel: Packet log: denylog DENY eth1 PROTO=17
> 172.16.0.15:137 63.248.85.245:137 L=78 S=0x00 I=41324 F=0x0000 T=116 (#1)

Random netbios junk on the Internet. We should probably have a fragment to
silently ignore this. The second one is interesting - it's from an RFC1918
address...

> Others
> --
> Feb  3 20:27:30 danslagle kernel: Packet log: denylog DENY eth1 PROTO=6
> 64.56.207.76:4124 63.248.85.245:111 L=60 S=0x00 I=38743 F=0x4000 T=53 SYN
> (#1)

Scan for RPC portmapper.

> Feb  2 21:30:10 danslagle kernel: Packet log: denylog DENY eth1 PROTO=6
> 63.228.91.89:3771 63.248.85.245:515 L=60 S=0x00 I=18390 F=0x4000 T=50 SYN
> (#1)

Scan for printer service.

> Feb  2 17:48:35 danslagle kernel: Packet log: denylog DENY eth1 PROTO=6
> 209.98.64.151:15372 63.248.85.245:111 L=60 S=0x00 I=11051 F=0x4000 T=50
SYN
> (#1)

And again for the portmapper.

> Could someone explain this one?
> Feb  3 08:51:18 danslagle xinetd[541]: START: auth pid=1960
> from=208.31.42.77

Probably an auth request from a site to which you sent mail.

Gordon
--
  Gordon Rowell                         [EMAIL PROTECTED]
  http://www.e-smith.org (development)  http://www.e-smith.com (corporate)
  Phone: +1 (613) 564 8000 ext. 4378    Fax: +1 (613) 564 7739
  e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada

Reply via email to