Thanks, Jose! And thanks to everyone else who responded privately, too. I suspected it was just paranoia ...
I'm reading a Linux firewalls book now. Hopefully that will answer some questions! Maybe I should also start memorizing port numbers and associated protocols ... Jen ----- Original Message ----- From: Jose Nazario <[EMAIL PROTECTED]> To: jennyw <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, November 17, 2001 4:08 PM Subject: Re: Please help w/ ipchains log > On Sat, 17 Nov 2001, jennyw wrote: > > > My interpretation is that several computers, all within the 171.66.x.x > > subnet are attempting access to my computer. But this seems rather odd > > ... could it be that I've configured something wrong and it's not > > really coming from these other folks? Then again, this is at > > Stanford, and I suppose it's possible that someone has gotten control > > of some points within the Stanford network and are launching something > > against me ... but there's a part of me that says that I'm just being > > paranoid. > > heh .. paranoia .. always happens when you start watching networks. > > > Nov 17 06:46:01 towanda kernel: Packet log: input DENY eth0 PROTO=17 > > 171.66.152.100:137 171.66.255.255:137 L=78 S=0x00 I=15071 F=0x0000 > > T=128 (#53) > > 137/UDP to 137 UDP is windows networking. let's break this log message > down: > > > Nov 17 06:46:01 > > timestamp > > > towanda > > your hostname (or, more accurately, the hostname or address of the system > that sent this message to the log. if you were running a syslog server you > would see the source address here) > > > kernel: > > the source subsystem (in this case the kernel) > > > Packet log: > > source's first field (in this case ipchains uses a decent id field for > you) > > > input > > the direction (with respect to the ruleset and your host) > > > DENY > > decision (reject, deny, allow, log, etc ...) > > > eth0 > > interface rule was applied on > > > PROTO=17 > > IP protocol > > > 171.66.152.100:137 > > source address:port > > > 171.66.255.255:137 > > destination address:port (in this case a /16 broadcast address) > > > L=78 > > packet length > > > S=0x00 > > IP type of service (TOS) flags > > > I=15071 > > IP id > > > F=0x0000 > > flags (UDP doesn't use flags) > > > T=128 > > TTL (time to live) > > > (#53) > > rule which applied here. > > > in a nutshell you're right to look, but you can safely discard these. > windows hosts resort to broadcasts to find out who is on the network and > participating. you're right to block broadcast packets (if you use SAMBA > for windows networking use the local WINS servers). campus networks are > littered with this. ipchains needs a more clear logging mechanism, or at > least better dos on it for people new to it. > > hope that helps, > > ____________________________ > jose nazario [EMAIL PROTECTED] > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
