Re: ipchains letting NetBIOS through?

Sat, 16 Jan 1999 10:05:24 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am finding ipchains can be pretty picky.  Example:

ipchains -I input -j ACCEPT -p udp -s x.x.x.21 514 -d x.x.x.15 514

it dropped every packet from .21 514 pointed at .15 514.  This fixed
it:

ipchains -I input -j ACCEPT -p udp -s x.x.x.21/32 514 -d x.x.x.15/32
514

I think you need to try a few things like specifying the interface,
subnet masks, etc.  You may even give gfcc which will generate the
ipchains scripts for you after you define what you want in each chain
through a GUI.


Carric Dooley
Network Security Consultant

"A little inaccuracy sometimes saves a ton of explanation. " 
- - H. H. Munro (Saki) (1870-1916) 
- ----- Original Message ----- 
From: Gene Lee <[EMAIL PROTECTED]>
To: Firewalls Mailing List <[EMAIL PROTECTED]>
Sent: Wednesday, November 17, 1999 11:23 PM
Subject: ipchains letting NetBIOS through?


> I am running a firewall using ipchains 1.3.8 on a Slackware 4.0.0
> Kernel 2.2.13. Although the kernel is compiled with SMB Filesystem
> enabled, I have disabled smbd and nmbd, and have made sure those
> modules are not loaded in the kernel.  
> 
> However  I'm seeing some strange behaviour when I test UDP scans
> against my machine using nmap. Even though I am explicitly blocking
> UDP ports 137-139, somehow the packets still get to the stack and
> is reported back to nmap as being open. I have checked with
> "ipchains -C" and the packet is demonstrated to be rejected, but
> real packets get through anyway. Checking the logs of a UDP strobe
> from 130-140, I see 130-136 and 140 being logged as rejected, but
> nothing for 137-139. It's as if the stack sees it and responds
> before ipchains even has a chance to process it. Strange!  
> 
> A sample of one the ipchains rules I tried for the UDP strobe:
> 
> ipchains -A input -p udp -s 0/0 -d 0/0 130:140 -l -j REJECT
> 
> Has anyone seen this behaviour before?
> 
> --
> Gene Lee
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBODQxUuuEoPqp8SMeEQIDCACcCjE8KI6spFsXQO+u56MnJzWfinAAoOk0
heMfBuvsm4PrtRhcr7CKDozZ
=jvY5
-----END PGP SIGNATURE-----


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to