bind is tries to connect an unknown host an port 137 ?!

[Tilman Schmidt]

At 10:33 19.05.00 +0200, Nikolas Hagelstein wrote:
>I am running bind 8.2.2p5 on a 2.0.38 Linux-Box...
>During observing my firewall logfiles i notice the following strange thing:
>
>May 19 08:08:13 mail kernel: Packet log: lan-in DENY eth1 PROTO=17
>192.168.0.202:53 194.117.253.245:137 L=124 S=0x00 I=65088 F=0x0000 T=64 (#2)
>
>(192.168.0.202 is my internal DNS server; 194.117.253.245 is dynamic dialin
>ip of a german isp)
>
>I wonder why my DNS server trys connecting a host with a dynamic ip on one
>of the netbios ports ?

Looks like a DNS reply. I'd suspect someone connected a laptop PC to
your LAN that had previously been connected to the Internet by dialin
and is still using the source address it had gotten from the ISP.
You'll have to use a packet sniffer to make sure.

-- 
Tilman Schmidt          E-Mail: Tilman.Schmidt at sema.de (office)
Sema Group Koeln, Germany       tilman at schmidt.bn.uunet.de (private)