On Sat, 17 Nov 2001, jennyw wrote:
> My interpretation is that several computers, all within the 171.66.x.x
> subnet are attempting access to my computer. But this seems rather odd
> ... could it be that I've configured something wrong and it's not
> really coming from these other folks? Then again, this is at
> Stanford, and I suppose it's possible that someone has gotten control
> of some points within the Stanford network and are launching something
> against me ... but there's a part of me that says that I'm just being
> paranoid.
heh .. paranoia .. always happens when you start watching networks.
> Nov 17 06:46:01 towanda kernel: Packet log: input DENY eth0 PROTO=17
> 171.66.152.100:137 171.66.255.255:137 L=78 S=0x00 I=15071 F=0x0000
> T=128 (#53)
137/UDP to 137 UDP is windows networking. let's break this log message
down:
> Nov 17 06:46:01
timestamp
> towanda
your hostname (or, more accurately, the hostname or address of the system
that sent this message to the log. if you were running a syslog server you
would see the source address here)
> kernel:
the source subsystem (in this case the kernel)
> Packet log:
source's first field (in this case ipchains uses a decent id field for
you)
> input
the direction (with respect to the ruleset and your host)
> DENY
decision (reject, deny, allow, log, etc ...)
> eth0
interface rule was applied on
> PROTO=17
IP protocol
> 171.66.152.100:137
source address:port
> 171.66.255.255:137
destination address:port (in this case a /16 broadcast address)
> L=78
packet length
> S=0x00
IP type of service (TOS) flags
> I=15071
IP id
> F=0x0000
flags (UDP doesn't use flags)
> T=128
TTL (time to live)
> (#53)
rule which applied here.
in a nutshell you're right to look, but you can safely discard these.
windows hosts resort to broadcasts to find out who is on the network and
participating. you're right to block broadcast packets (if you use SAMBA
for windows networking use the local WINS servers). campus networks are
littered with this. ipchains needs a more clear logging mechanism, or at
least better dos on it for people new to it.
hope that helps,
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
