What are these and how can I not log them?

What are these and how can I not log them?

[Simon]

Hello,

Very new to iptables and firewall, so please be gentle... :)

I'm getting a lot of the below messages - sometimes bursts of a hundred 
or more, but usually just one or two here and there - in my logs:

Jul  7 17:52:46 myhost IPTABLES-IN Default Drop: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:08:9b:ac:c3:41:08:00 SRC=192.168.1.75 
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP 
SPT=137 DPT=137 LEN=58

I'm guessing it is something to do with IPv6.? But all I really want to 
know is why are they being blocked and/or how can I stop seeing these in 
my logs?

Thanks...

Re: What are these and how can I not log them?

[Grant Taylor]

On 07/07/08 16:57, Simon wrote:
> I'm getting a lot of the below messages - sometimes bursts of a hundred 
> or more, but usually just one or two here and there - in my logs:
> 
> Jul  7 17:52:46 myhost IPTABLES-IN Default Drop: IN=eth0 OUT= 
> MAC=ff:ff:ff:ff:ff:ff:00:08:9b:ac:c3:41:08:00 SRC=192.168.1.75 
> DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP 
> SPT=137 DPT=137 LEN=58

These are NetBIOS Name Service packets.  These packets are from Windows 
computers (or any computer using Windows networking) looking for other 
computers on the network.

> I'm guessing it is something to do with IPv6.? But all I really want to 
> know is why are they being blocked and/or how can I stop seeing these in 
> my logs?

Nope, these have nothing to do with IPv6.  The particular above packet 
came from the computer at 192.168.1.75 when it was trying to find out 
what was on the network.  It sent this packet as a broadcast to the 
network, thus requesting that all systems on the network speaking 
NetBIOS respond so that it could learn something, or argue about 
something (browse master election...).

With out knowing what you have in your firewall I can not even begin to 
tell you how to not get them in your logs.  It looks like (based on the 
"IPTABLES-IN Default Drop") that this is a catch all rule that drops any 
thing that has not explicitly been previously allowed.



Grant. . . .

Re: What are these and how can I not log them?

[Simon]

Hi Grant,

Thanks for the response...

>> Jul  7 17:52:46 myhost IPTABLES-IN Default Drop: IN=eth0 OUT= 
>> MAC=ff:ff:ff:ff:ff:ff:00:08:9b:ac:c3:41:08:00 SRC=192.168.1.75 
>> DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP 
>> SPT=137 DPT=137 LEN=58

> These are NetBIOS Name Service packets.  These packets are from Windows 
> computers (or any computer using Windows networking) looking for other 
> computers on the network.

Ok, makes sense, at least for the computers inside my network - but when 
the flood happens, it is from a non-local IP address, although I can't 
swear that the source/dest ports are the same... I'll have to watch for 
the next one and grab a snippet...

> With out knowing what you have in your firewall I can not even begin to 
> tell you how to not get them in your logs.  It looks like (based on the 
> "IPTABLES-IN Default Drop") that this is a catch all rule that drops any 
> thing that has not explicitly been previously allowed.

Yeah, I had someone help me set this up years ago, and I told him I 
wanted it buttoned up as tight as possible. He even added rules to block 
most OUT bound traffic as well, which I have since learned is probably 
not a great idea...

Any chance you or someone could help me in re-evaluating my current ruleset?

To dump the current rules to a file I'd just do:

iptables-save > myrules

Then just copy/paste the contents here for evaluation (if thats ok)?

Thanks again for your time...

Re: What are these and how can I not log them?

[Simon]

On 7/7/2008, Simon (tanstaafl@libertytrek.org) wrote:
> To dump the current rules to a file I'd just do:
> 
> iptables-save > myrules 

never mind, I see a iptables -L will list them all...

Re: What are these and how can I not log them?

[Grant Taylor]

On 7/7/2008 6:00 PM, Simon wrote:
> never mind, I see a iptables -L will list them all...

That will list the rules in one table, filter by default.  You will need 
to dump all tables that way.  IPTables-save is a more concise way to 
dump all tables and rules in one clean consistent manner for others to see.

Yes the copy and past will work.  (See my (coming) reply to your 
previous message.)



Grant. . . .

Re: What are these and how can I not log them?

[Grant Taylor]

On 7/7/2008 5:57 PM, Simon wrote:
> Thanks for the response...

You are welcome.

> Ok, makes sense, at least for the computers inside my network - but when 
> the flood happens, it is from a non-local IP address, although I can't 
> swear that the source/dest ports are the same... I'll have to watch for 
> the next one and grab a snippet...

Hum.  I'd be between curious to concerned to find unexpected IPs in 
logs.  Now, if the logs are the "Default Drop and Log" type and not just 
your internal interface, then it could be external traffic that appears 
similar.

> Yeah, I had someone help me set this up years ago, and I told him I 
> wanted it buttoned up as tight as possible. He even added rules to block 
> most OUT bound traffic as well, which I have since learned is probably 
> not a great idea...

Doing egress filtering is not necessarily a bad idea, you just have to 
be careful.  Usually egress filtering helps ensure that you are a good 
internet neighbor which is usually a good thing.

> Any chance you or someone could help me in re-evaluating my current 
> ruleset?

I'm not sure that this mailing list is the best place to ask for help in 
creating and / or (re)assessing a rule set.  IMHO this list is more of a 
place to ask how to make something specific work rather than how should 
I / what firewall should I use for my network with this <bla> config. 
(However I'd be willing to do so off list if you will email me directly.)

> To dump the current rules to a file I'd just do:
> 
> iptables-save > myrules
> 
> Then just copy/paste the contents here for evaluation (if thats ok)?

Yes, that will probably work the best.

> Thanks again for your time...

*nod*

You are welcome.



Grant. . . .