RE: [fw-wiz] RE: Help w/ Port 137 Traffic

• Previous message: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• In reply to: Mike McCandless: "[fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Frank Knobbe: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Reply: Frank Knobbe: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Thanks for all the replies.  The change I believe I will make 
> in my firewall rules is to explicitly block inbound 137-139 
> traffic.  My default iptables policy is to deny, and these 
> are not ports I have opened up, so....they should be being 
> blocked, but an extra rule to catch this up front won't hurt.

I tend to build firewall rulebases that does the following (don't know
if this is common practice/knowledge out there):

1) Accept rules for traffic to the firewall device itself go first (such
as ssh, fw-gui).
2) Explicit drop for all other traffic to the firewall device.
3) General accept rules (ordered by system - high volume stuff first).
4) Silent drop of some stuff that just fills up the logs and add litte
value, such as udp/137. Drop certain internal ip's that scans the
internal network all the time. And so on.
5) Drop and log everything else.

In general you don't want to use block/reject, since it sends out a TCP
RST (for TCP) or ICMP port unreach for UDP. An example where you would
you block/reject is to avoid timeouts for valid traffic such as identd.

> I have to add one clarification to the scenario and apologize 
> for not including this up front:  could running Samba (as a 
> master browser/file server - not domain controller) be the 
> source of the problem?  Are there some outbound ports I 
> should be blocking when (I assume) Samba announces itself 
> periodically as the master browser?

You should block ALL outbound (and inbound) traffic that isn't
explicitly needed for your system to function.

Stefan

> -----Original Message-----
> From: firewall-wizards-adminat_private 
> [mailto:firewall-wizards-adminat_private] On Behalf 
> Of Mike McCandless
> Sent: Sunday, October 13, 2002 4:13 PM
> To: firewall-wizardsat_private
> Subject: [fw-wiz] RE: Help w/ Port 137 Traffic
> 
> 
> Thanks for all the replies.  The change I believe I will make 
> in my firewall rules is to explicitly block inbound 137-139 
> traffic.  My default iptables policy is to deny, and these 
> are not ports I have opened up, so....they should be being 
> blocked, but an extra rule to catch this up front won't hurt.
> 
> I have to add one clarification to the scenario and apologize 
> for not including this up front:  could running Samba (as a 
> master browser/file server - not domain controller) be the 
> source of the problem?  Are there some outbound ports I 
> should be blocking when (I assume) Samba announces itself 
> periodically as the master browser?
> 
> 
> --------------------------------------------------------
> Mike McCandless
> michaelat_private
> 
> _______________________________________________
> firewall-wizards mailing list firewall-wizardsat_private
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> 


_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Previous message: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• In reply to: Mike McCandless: "[fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Frank Knobbe: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Reply: Frank Knobbe: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 16:30:27 PDT