Most
of the low end firewalls only do packet filtering based on the IP Port. If
you're firewall allows traffic on port 139, then you will likely see attempts to
connect to your network. (Port 139 being for NetBIOS names, which MS uses
for file/print sharing). These firewalls do not attempt to detect/block
virus traffic - if the virus attempts access to your network on a port that the
firewall allows through, then you need to rely on a second line of defense (i.e.
antivirus software).
The
quickest and easiest solution is to ensure your firewall isn't allowing
undesired ports in. If you have a typical home network (something
like INTERNET ---- Firewall ---- Workstation(s) ), then you can turn
off port 139 on your firewall completly. If your network is a little more
advanced, and you use multiple firewalls to segment workstations from each other
(think of different departments in a larger business), then you might NEED port
139 open. However, there is no reason to ever allow traffic on port 139
connect to your router from the external interface, if it isn't initiated
internally (Basically, block 139 on incoming traffic from the
Internet).
All
that said, there is a chance your situation isn't this simple. I
personally use an old P-166 as my firewall running IPCop. IPCop is smart
enough to recognize incoming attacks and block them (if you turn on Intrusion
Detection). With regards to DSL, you can plug the DSL line directly into a
network card, so do not need a specific "DSL firewall". Since I've
started using IPCop, I have yet to see a single virus get through to my network
(knock on wood), and that includes the Blaster storm, the MS SQL Propogation
attacks, and the more recent Sasser wave. But part of this might be due to
the fact that I'm aware of how viruses can infect a system, and don't do those
things (i.e. opening executable email attachements).
HTH
Shawn
-----Original Message-----I have a cheap NetGear DSL firewall NAT switch at home. It is no very good but I don't have any thing fancy going so it does what I need. I have looked for newer firmware for my model of NetGear but I already have the newest firmware for my system.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roy Souther
Sent: Friday, June 11, 2004 10:02 AM
To: CLUG General
Subject: [clug-talk] Samba logging virus getting through firewall
While trying to tweak my NFS shares I found that there are hundreds of samba log files from IP's outside of my firewall. These look like a virus is trying to see if I have Win32 systems on my LAN to infect.
I don't follow the Win32 viruses. What virus could this be? Is there any danger to Samba system? I shut my home Samba down, don't need it there.
Is anyone else having problems with Win32 viruses that just walk right through their firewalls?
Are there DSL firewall boxes that are better then this NetGear junk?
My smoothwall at work seems to be blocking the virus.
I have a copy of the Knoppix STD, I am thinking I should try it and see what is happening.
Roy Souther
www.SiliconTao.com
Changing the way people do business.
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
