Well, I'm starting this again. Everyday for...well, a long time, I get this message in my /var/log/message log: May 21 14:29:18 fwpc kernel: Packet log: output REJECT eth0 PROTO=17 10.10.10.10:61001 198.162.0.1:137 This message comes from my firewall box which is running RedHat 7.0 and IPchains. 10.10.10.10. is my firewall's eth0 and is my external interface. 192.168.0.1 is my firewall's internal IP. All the machines on my network are Win2k - except mine - SuSE 8.2. It repeats about 2 or 3 seconds and it's really bugging me. I looked around the net and some folks say it has to do with samba running on the dhcp server. But it's not even installed. Others have pointed out it has to do with NetBIOS. I've checked high and low for a configuration having to do with port 137 and I can't find anything. Interesting note: Notice the port 61001? Well, if I restart the firewall, that number will increase every time. OOoooooh! Last night it used to be 61000. Thanks for any insight. Please keep in mind I'm an idiot, so if you say "Sounds like this or that" I'm going to ask the inevitable, well how do I change it? Thanks! Tom -- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
The 03.05.21 at 15:15, Tom Nielsen wrote:
Well, I'm starting this again. Everyday for...well, a long time, I get this message in my /var/log/message log:
May 21 14:29:18 fwpc kernel: Packet log: output REJECT eth0 PROTO=17 10.10.10.10:61001 198.162.0.1:137
This message comes from my firewall box which is running RedHat 7.0 and IPchains. 10.10.10.10. is my firewall's eth0 and is my external interface. 192.168.0.1 is my firewall's internal IP. All the machines on my network are Win2k - except mine - SuSE 8.2.
My guess is that the firewall is rejecting connection to "NETBIOS Name Service" coming from the outside to the inside - and that is as it should be, I think -. The strange thing is why is it not rejected directly at the entry point, before routing it, but that I can not answer. Probably the windows machines on your internal network are broadcasting and being rejected, or somebody on the outside is probing. -- Cheers, Carlos Robinson
But both IP addresses are on the same machine. ????? Tom On Thu, 2003-05-22 at 04:44, Carlos E. R. wrote:
The 03.05.21 at 15:15, Tom Nielsen wrote:
Well, I'm starting this again. Everyday for...well, a long time, I get this message in my /var/log/message log:
May 21 14:29:18 fwpc kernel: Packet log: output REJECT eth0 PROTO=17 10.10.10.10:61001 198.162.0.1:137
This message comes from my firewall box which is running RedHat 7.0 and IPchains. 10.10.10.10. is my firewall's eth0 and is my external interface. 192.168.0.1 is my firewall's internal IP. All the machines on my network are Win2k - except mine - SuSE 8.2.
My guess is that the firewall is rejecting connection to "NETBIOS Name Service" coming from the outside to the inside - and that is as it should be, I think -. The strange thing is why is it not rejected directly at the entry point, before routing it, but that I can not answer. Probably the windows machines on your internal network are broadcasting and being rejected, or somebody on the outside is probing.
-- Cheers, Carlos Robinson
-- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
The 03.05.22 at 08:43, Tom Nielsen wrote:
But both IP addresses are on the same machine. ?????
Not all rules apply to all interfaces... You could have the outside open and the inside closed, and acting when a package is moved from one interface to the other. Just guessing - I'm not familiar with suse 8.2 log entries, they seem different from 8.1 ones. Check your firewall config for that port. -- Cheers, Carlos Robinson
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 21 May 2003 17:15, Tom Nielsen wrote:
Well, I'm starting this again. Everyday for...well, a long time, I get this message in my /var/log/message log:
May 21 14:29:18 fwpc kernel: Packet log: output REJECT eth0 PROTO=17 10.10.10.10:61001 198.162.0.1:137
This message comes from my firewall box which is running RedHat 7.0 and IPchains. 10.10.10.10. is my firewall's eth0 and is my external interface. 192.168.0.1 is my firewall's internal IP. All the machines on my network are Win2k - except mine - SuSE 8.2.
It repeats about 2 or 3 seconds and it's really bugging me. I looked around the net and some folks say it has to do with samba running on the dhcp server. But it's not even installed. Others have pointed out it has to do with NetBIOS. I've checked high and low for a configuration having to do with port 137 and I can't find anything.
Interesting note: Notice the port 61001? Well, if I restart the firewall, that number will increase every time. OOoooooh! Last night it used to be 61000.
Thanks for any insight. Please keep in mind I'm an idiot, so if you say "Sounds like this or that" I'm going to ask the inevitable, well how do I change it? Thanks!
Tom
OK..... Proto 17 is the UDP protocol. Or an octal of 21. Port 137 is netbios-ns. Or the Netbios name service. Dropping packets from the same node is not any different to the "stacks" and/or the applications utilizing them. Sockets are simply a IP address and a port. As long as their is a listening daemon available, this should make no difference. First ensure that you have a good protocol capture application running. I prefer ethereal myself. Next, telnet to the destination addy using TCP. This should tell you if the port is being blocked all together; or that it is specifically being told what proto number to drop. If you get a RST packet.......then the daemon is not accepting connections for whatever reason via a DENY instruction. If telnet gets nothing then either there is no daemon, or the firewall is being told to DROP the SYN packets. Now then use netcat to do the same for UDP. It will send packets to the specified port and you can view your nodes responses; if any. This should give you a good idea what is actually happening. If i were to guess, i would say that you do not specifically have any DENY/DROP instructions in your firewall configuration for UDP(or a status of 'dgram nowait'). But instead, that you have a TCP daemon(status is 'stream wait') that is in an active state and waiting for a connection. Because this daemon(service) is accepting connections for a particular protocol on that port....it then drops the connections from an unconfigured protocol. Although some services can accept both TCP and UDP protocols; it must specifically be specified in inetd with a line for each protocol. This is normal behavior for the TCP/IP stack. And it is not specified in any fw configs. BTW....client ports......data transmission ports...........as well as the packet sequence numbers increment randomly. Well..... ;) .......they are supposed to anyways. But that is another discussion. HTH. - -- Thomas Jones Linux-Howtos Network Administrator OpenGPG Key: 0x6A3DF6E9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+zQ+FQT2komo99ukRAt9uAKChBRfPdnai6TDcmMmzSPYXrl/RuQCeOs+B YoefqIoe4Mf77HOJ4uPFgzY= =XyPl -----END PGP SIGNATURE-----
participants (3)
-
Carlos E. R.
-
Thomas Jones
-
Tom Nielsen