Peter Bolmehag wrote:
> I�m still sursprised about what I find in one of the firewall we�ve set up:
>
> Aug 12 07:39:12 lf-gw kernel: Packet log: bad-good DENY eth1 PROTO=17
>62.20.185.176:137 194.17.250.1:137 L=78 S=0x00 I=30297 F=0x0000 T=120
>
> Aug 13 05:18:14 lf-gw kernel: Packet log: bad-good DENY eth1 PROTO=17
>192.168.250.1:137 194.17.250.1:137 L=78 S=0x00 I=54326 F=0x0000 T=117
>
> I find this difficult to understand. The source adresses are wierd and
> the port numbers too. Isn�t port 137 some netbios stuff?
Port 137 is netbios-ns, one of the ways which SMB clients use to
perform name-to-address translation.
However, normally these packets are broadcast. A host would normally
use a WINS server or an lmhosts file for hosts which aren't on the
same LAN as itself.
This could be suspicious. OTOH, it might just be the usual
Windows-networking-sucks wierdness. I do recall reading something
about Windows boxes attempting to do netbios-ns lookups on hosts that
they find themselves talking to.
Personally, I consider the purpose of a firewall to be not just for
protection against hackers, but also for protection against
benign-but-clueless users running low quality software (application or
system) written by equally clueless (or sometimes even downright
malicious) developers.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
