Re: [fw-wiz] RE: Help w/ Port 137 Traffic

• Previous message: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• In reply to: Luca Berra: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Bill Royds: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Oct 2002, Luca Berra wrote:

> On Sun, Oct 13, 2002 at 02:40:59PM -0400, R. DuFresne wrote:
> >
> >
> >depending upon the kinda of windows OS' behind your firewall, you might
> >wish to add 135-139, tc and udp, as well as 445, and 1433,1434.  Of course
> 
> if you really want to block outgoing traffic from workstation put a
> proxy in the middle....
> 
> 
> >> I have to add one clarification to the scenario and apologize for not
> >> including this up front:  could running Samba (as a master browser/file
> >> server - not domain controller) be the source of the problem?  Are there
> >> some outbound ports I should be blocking when (I assume) Samba announces
> >> itself periodically as the master browser?
> samba announces itself periodically on the broadcast address of all
> connected interfaces and to addresses specified with the 'remote
> announce' smb.conf parameter.
> I don't believe samba uses netbios-ns lookups to resolve remote hosts
> connecting, but anyway noone should be connecting to your samba server
> from outside.
> 
> as a last note i am also getting many probes on port 137 and 139, but
> they seem unrelated, i might try answering to netbios-ns lookups and see
> what happens, if i find a smaller beast than samba to use, that is.

I'm seeing broken systems like this one that has been pounding my systems
for months now:

Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109
Oct 14 03:07:19 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=11520 F=0x0000 T=109
Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109
Oct 14 03:07:20 darkstar kernel: IP acct in ppp0 UDP 211.45.7.254:62
209.170.142.145:138 L=249 S=0x00 I=12800 F=0x0000 T=109

One might beable to build the toy you are thinking of luca with libnet and
or netcat.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Mikael Olsson: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Previous message: R. DuFresne: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• In reply to: Luca Berra: "Re: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Next in thread: Bill Royds: "RE: [fw-wiz] RE: Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 11:36:27 PDT