Firewall rejecting port 137 netbios-ns

[Bill Moseley]

At 11:07 AM 07/07/00 +1000, Mark.Andrews at nominum.com wrote:
>	
>	Port 137 is netbios-ns.  This windows name resolution.

Right, I kind of understood that.  But any udp or tcp connections TO port
137 on my machine would (and do) get logged, and that's not happening.  I'm
only seeing the output packet logged -- no input packets are logged.

I'm not running IIS.  Some internally NAT'ed machines do run IE4, but it
seems like the packets get logged at times when I'm not using IE4.  So if
bind isn't sending on UDP port 137 (which I doubt), and if the logged
output packet is a response to some remote query, then I have a hole in my
input firewall.

In other words, the output log I'm seeing is either a response to a request
that made it in past my firewall, or it's generated internally and I'm not
clear how.  And since the remote IP numbers listed in the packet log are
often not running httpd, it seems likely that origin is external instead of
internal to my system.

Thanks,


>> 
>> I'm not sure if this is bind related or not, and I can't seem to search for
>> numbers in the list archive.
>> 
>> I see the following in my firewall log every so often.  But I don't see any
>> corresponding "input" logs.  
>> 
>> Packet log: output REJECT eth1 PROTO=17
>>      63.205.225.170:64961 165.87.156.173:137
>>      L=78 S=0x00 I=16956 F=0x0000 T=127 (#42)
>> 
>> So either I'm allowing access to something by mistake, or some service I'm
>> allowing access to is sending on UDP 137.  Is something in bind sending out
>> these packets?
>> 
>> If it is bind, then what triggers it?
>> 
>> 
>> 
>> 
>> Bill Moseley
>> mailto:moseley at hank.org
>> 
>> 
>--
>Mark Andrews, Nominum Inc.
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
>
>
>

Bill Moseley
mailto:moseley at hank.org