Firewall rejecting port 137 netbios-ns
Adam Olson
adamo at quaartz.com
Fri Jul 7 04:44:16 UTC 2000
if lsof can run on your host platform, possibly grab snapshots every X
minutes to catch the process....Adam
On Thu, 6 Jul 2000, Bill Moseley wrote:
>
> At 11:07 AM 07/07/00 +1000, Mark.Andrews at nominum.com wrote:
> >
> > Port 137 is netbios-ns. This windows name resolution.
>
> Right, I kind of understood that. But any udp or tcp connections TO port
> 137 on my machine would (and do) get logged, and that's not happening. I'm
> only seeing the output packet logged -- no input packets are logged.
>
> I'm not running IIS. Some internally NAT'ed machines do run IE4, but it
> seems like the packets get logged at times when I'm not using IE4. So if
> bind isn't sending on UDP port 137 (which I doubt), and if the logged
> output packet is a response to some remote query, then I have a hole in my
> input firewall.
>
> In other words, the output log I'm seeing is either a response to a request
> that made it in past my firewall, or it's generated internally and I'm not
> clear how. And since the remote IP numbers listed in the packet log are
> often not running httpd, it seems likely that origin is external instead of
> internal to my system.
>
> Thanks,
>
>
> >>
> >> I'm not sure if this is bind related or not, and I can't seem to search for
> >> numbers in the list archive.
> >>
> >> I see the following in my firewall log every so often. But I don't see any
> >> corresponding "input" logs.
> >>
> >> Packet log: output REJECT eth1 PROTO=17
> >> 63.205.225.170:64961 165.87.156.173:137
> >> L=78 S=0x00 I=16956 F=0x0000 T=127 (#42)
> >>
> >> So either I'm allowing access to something by mistake, or some service I'm
> >> allowing access to is sending on UDP 137. Is something in bind sending out
> >> these packets?
> >>
> >> If it is bind, then what triggers it?
> >>
> >>
> >>
> >>
> >> Bill Moseley
> >> mailto:moseley at hank.org
> >>
> >>
> >--
> >Mark Andrews, Nominum Inc.
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
> >
> >
> >
>
> Bill Moseley
> mailto:moseley at hank.org
>
>
>
More information about the bind-users
mailing list