From: Sebastian.Schaper@urz.uni-heidelberg.de
Date: Fri Jan 14 2000 - 00:38:10 PST
Sender: sschaper@ix.urz.uni-heidelberg.de
Subject: Re: [pmfirewall] Log entries?
Dear Jonathen,
Zitiere \"Johnathen K. Lieber\" <jlieber@san.rr.com>:
> My logs are filling up with the following entry:
>
> Packet log: input DENY eth0 PROTO=17 24.25.216.233:137 24.25.216.255:137
> L=78 S=0x00 I=6743 F=0x0000 T=128 (#26)
This looks like a netbios package. Netbios is used (among others) by Windows
networks or by the samba package. Are you using any of these? These packets are
usually the result of some host broadcasting something like \"Hi folks, anybody
out there? This is me and I am a windows host and I have the following shares
to offer...\". Apparently (I don\'t know what those IPs stand for, so I may be
wrong), some host is trying to send these packages from your LAN to the Internet
or the other way around. Since there is usually no good reason to share windows
drives over the Internet (it is a very insecure protocol and I assume you don\'t
want anybody to be able to eavesrop on your \"conversation\", catch the passwords
and read/write your disks), pmfirewall blocks these packages.
The logging may be annoying, but rather than try to stop the logs, you should
identify who is sending the packets. Because if you only stop the logging, the
firewall still has to handle the packages and deny them (costing performance),
only that you don\'t notice anymore.
If you have samba, it can help to tell it to bind to the LAN interface only (see
the docs for details), and not the Internet interface. It may also be one of the
windows clients in your lan that is generating this noise. This can be difficult
to stop, but I have made the experience that it helps if all the hosts in the
LAN are listed in the lmhosts file in the Windows directory.
If the IP sending the package is from the outside world, it\'s not your fault.
Somebody with a broken configuration is announcing his windows shares or trying
to connect to another windows host over the Internet.
Before you try anything else, did you set up your internal/external interfaces
in pmfirewall-setup correctly? If eth0 is your internal LAN interface, something
is wrong. Those netbios packets should not be blocked if they are internal.
Good luck hunting!
Sebastian
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:33:40 PDT