Firewall rejecting port 137 netbios-ns

Adam Olson adamo at quaartz.com
Fri Jul 7 04:44:16 UTC 2000 


  if lsof can run on your host platform, possibly grab snapshots every X
minutes to catch the process....Adam

On Thu, 6 Jul 2000, Bill Moseley wrote:

> 
> At 11:07 AM 07/07/00 +1000, Mark.Andrews at nominum.com wrote:
> >	
> >	Port 137 is netbios-ns.  This windows name resolution.
> 
> Right, I kind of understood that.  But any udp or tcp connections TO port
> 137 on my machine would (and do) get logged, and that's not happening.  I'm
> only seeing the output packet logged -- no input packets are logged.
> 
> I'm not running IIS.  Some internally NAT'ed machines do run IE4, but it
> seems like the packets get logged at times when I'm not using IE4.  So if
> bind isn't sending on UDP port 137 (which I doubt), and if the logged
> output packet is a response to some remote query, then I have a hole in my
> input firewall.
> 
> In other words, the output log I'm seeing is either a response to a request
> that made it in past my firewall, or it's generated internally and I'm not
> clear how.  And since the remote IP numbers listed in the packet log are
> often not running httpd, it seems likely that origin is external instead of
> internal to my system.
> 
> Thanks,
> 
> 
> >> 
> >> I'm not sure if this is bind related or not, and I can't seem to search for
> >> numbers in the list archive.
> >> 
> >> I see the following in my firewall log every so often.  But I don't see any
> >> corresponding "input" logs.  
> >> 
> >> Packet log: output REJECT eth1 PROTO=17
> >>      63.205.225.170:64961 165.87.156.173:137
> >>      L=78 S=0x00 I=16956 F=0x0000 T=127 (#42)
> >> 
> >> So either I'm allowing access to something by mistake, or some service I'm
> >> allowing access to is sending on UDP 137.  Is something in bind sending out
> >> these packets?
> >> 
> >> If it is bind, then what triggers it?
> >> 
> >> 
> >> 
> >> 
> >> Bill Moseley
> >> mailto:moseley at hank.org
> >> 
> >> 
> >--
> >Mark Andrews, Nominum Inc.
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
> >
> >
> >
> 
> Bill Moseley
> mailto:moseley at hank.org
> 
> 
>

More information about the bind-users mailing list