> Thanks for all the replies. The change I believe I will make > in my firewall rules is to explicitly block inbound 137-139 > traffic. My default iptables policy is to deny, and these > are not ports I have opened up, so....they should be being > blocked, but an extra rule to catch this up front won't hurt. I tend to build firewall rulebases that does the following (don't know if this is common practice/knowledge out there): 1) Accept rules for traffic to the firewall device itself go first (such as ssh, fw-gui). 2) Explicit drop for all other traffic to the firewall device. 3) General accept rules (ordered by system - high volume stuff first). 4) Silent drop of some stuff that just fills up the logs and add litte value, such as udp/137. Drop certain internal ip's that scans the internal network all the time. And so on. 5) Drop and log everything else. In general you don't want to use block/reject, since it sends out a TCP RST (for TCP) or ICMP port unreach for UDP. An example where you would you block/reject is to avoid timeouts for valid traffic such as identd. > I have to add one clarification to the scenario and apologize > for not including this up front: could running Samba (as a > master browser/file server - not domain controller) be the > source of the problem? Are there some outbound ports I > should be blocking when (I assume) Samba announces itself > periodically as the master browser? You should block ALL outbound (and inbound) traffic that isn't explicitly needed for your system to function. Stefan > -----Original Message----- > From: firewall-wizards-adminat_private > [mailto:firewall-wizards-adminat_private] On Behalf > Of Mike McCandless > Sent: Sunday, October 13, 2002 4:13 PM > To: firewall-wizardsat_private > Subject: [fw-wiz] RE: Help w/ Port 137 Traffic > > > Thanks for all the replies. The change I believe I will make > in my firewall rules is to explicitly block inbound 137-139 > traffic. My default iptables policy is to deny, and these > are not ports I have opened up, so....they should be being > blocked, but an extra rule to catch this up front won't hurt. > > I have to add one clarification to the scenario and apologize > for not including this up front: could running Samba (as a > master browser/file server - not domain controller) be the > source of the problem? Are there some outbound ports I > should be blocking when (I assume) Samba announces itself > periodically as the master browser? > > > -------------------------------------------------------- > Mike McCandless > michaelat_private > > _______________________________________________ > firewall-wizards mailing list firewall-wizardsat_private > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 16:30:27 PDT