[Masq] Some questions!

Fri, 02 Feb 2001 07:47:10 -0800 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Hello, i have set up a firewall on to off SUSE linux with a 2.2.16 kernel.

1. I get a lot on hits on port 137 and 138 like this:

Feb  2 16:29:13 firewall kernel: Packet log: input DENY eth1 PROTO=17 
xxx.xxx.xxx.xxx:896 yyy.yyy.yyy.yyy:137 L=78 S=0x00 I=52201 F=0x0000 T=103 (#7)

Is this people searchin for open windows host or are they just
stray windows pakages from windows machines (eth1 is the external nic and
xxx.xxx.xxx.xxx is an external IP, yyy.yyy.yyy.yyy is the firewall external 
IP)?

The packets seems to be comming from all aroud not only the subnet of the
exsternal interface.

2. I got htis curius entry:

Feb  2 15:39:28 firewall kernel: Packet log: input DENY eth1 PROTO=6 
172.16.9.78:80 yyy.yyy.yyy.yyy:62130 L=40 S=0x00 I=34904 F=0x4000 T=42 (#2)

Is someone prying for a hole in the firewall? 172.16.9.78 is in the subnet
of the inner nic (eth0) but it is unused.


3. It seems the firwall logs both in /var/log/messages and /var/log/firewall.
Is this normal? Can i prevent it ( i want the firewall entries just in
/var/log/firewall) ? How?


4. I did the security check on www.vulnerabilities.org and it gave me a varning
like

Warning found on port general/icmp

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentifications protocols.

Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524

Shoud i block this? What woud the rule look like?


It might be relevant that the only service available from the external
interface is ssh.



Tank you for any answers

Best Regards
KenRH

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to