Firewall Log Interpretation Requested
Can anyone interpret the following firewall notices from /var/log/messages? I get these messages on bootup, and about once an hour or so thereafter. I'm guessing that this is either my ISP (Verizon) trying to do a NetBIOS call, or a bunch of machines running Kazaa trying to see what my box has to share (not much...) I'd just like to understand better how to determine if this probing is innocuous, or with bad intent. FYI the Linux box is connected to a D-Link DI-704P DSL router performing DHCP. The D-Link device always assigns the IP address of 192.168.0.247 to the Linux box. Thanks! L. Mark Stone Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=5 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=6 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=8 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=9 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=252 TOS=0x00 PREC=0x00 TTL=64 ID=11 DF PROTO=UDP SPT=138 DPT=138 LEN=232 Feb 11 21:58:53 bronxville kernel: IPv6 v0.8 for NET4.0 Feb 11 21:58:53 bronxville kernel: IPv6 over IPv4 tunneling driver Feb 11 21:58:53 bronxville sshd[1061]: Server listening on :: port 22. Feb 11 21:58:53 bronxville webmin[1059]: Webmin starting Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=17 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=18 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=19 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=20 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=21 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=27 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=28 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=29 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=30 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:54 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=31 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:55 bronxville SuSEfirewall2: Firewall rules successfully set from /etc/sysconfig/SuSEfirewall2 Feb 11 21:58:55 bronxville kernel: PCI: Setting latency timer of device 00:04.5 to 64 Feb 11 21:58:56 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=37 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:56 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=38 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:56 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=39 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:56 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=40 DF PROTO=UDP SPT=137 DPT=137 LEN=76 Feb 11 21:58:56 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=41 DF PROTO=UDP SPT=137 DPT=137 LEN=76 -- ___________________________________________________________________ A Message From... L. Mark Stone http://www.lmstone.com
On 02/12/2003 11:10 AM, L. Mark Stone wrote:
FYI the Linux box is connected to a D-Link DI-704P DSL router performing DHCP. The D-Link device always assigns the IP address of 192.168.0.247 to the Linux box.
Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=5 DF PROTO=UDP SPT=137 DPT=137 LEN=76
source is your linux box, 192.168.0.247 destination is a broadcast, 192.168.0.255 protocol is udp source port is 137 destination port is 137 conclusion, a netbios name server broadcast packet. I would conclude you are running samba, which is trying to register with the netbios name server of a Windows network. HTH -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
On Tue, 2003-02-11 at 23:59, Joe Morris (NTM) wrote:
On 02/12/2003 11:10 AM, L. Mark Stone wrote:
FYI the Linux box is connected to a D-Link DI-704P DSL router performing DHCP. The D-Link device always assigns the IP address of 192.168.0.247 to the Linux box.
Feb 11 21:58:52 bronxville kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.247 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=5 DF PROTO=UDP SPT=137 DPT=137 LEN=76
source is your linux box, 192.168.0.247 destination is a broadcast, 192.168.0.255 protocol is udp source port is 137 destination port is 137 conclusion, a netbios name server broadcast packet. I would conclude you are running samba, which is trying to register with the netbios name server of a Windows network. HTH
-- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
That was it; thanks! -- ___________________________________________________________________ A Message From... L. Mark Stone http://www.lmstone.com
participants (2)
-
Joe Morris (NTM)
-
L. Mark Stone