Re: lots of port 137 in deny log

[Carl E. Mankinen]

What I am seeing is inbound nbname connections to IP addresses all over my CIDR block. Not to addresses that would have ever been resolved by external DNS  etc.   I would think this would indicate malicious intent. ----- Original Message ----- From: [EMAIL PROTECTED] To: Dave Vogler Cc: firewall discussion list ; [EMAIL PROTECTED] Sent: Wednesday, May 02, 2001 4:13 PM Subject: Re: lots of port 137 in deny log Because Microsoft implements NETBIOS over TCP by default and most people don't know effort to turn it off.  Consequently you have all kinds of systems trying to find out about the "Nework Neighborhood" they are attached to. -- Bill Stackpole, CISSP Dave Vogler <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/02/01 10:49 AM                 To:        firewall discussion list <[EMAIL PROTECTED]>         cc:                 Subject:        lots of port 137 in deny log Hi all, With all of your help, I've managed to implement a basic internet firewall on my Cisco router via ACL.  I'm logging my denied packets, and I notice the most frequently denied packet is udp on port 137.  I thought 137 was part of netbios- why are there so many of these?  They appear to have been bound for Macs as well as NTs inside the LAN.  About 4-5 an hour for a LAN of 25 computers. Thanks, Dave