/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
On Fri, Feb 02, 2001 at 04:50:55PM +0100, Ken Rune Helland said:
> 1. I get a lot on hits on port 137 and 138 like this:
>
> Feb 2 16:29:13 firewall kernel: Packet log: input DENY eth1 PROTO=17
> xxx.xxx.xxx.xxx:896 yyy.yyy.yyy.yyy:137 L=78 S=0x00 I=52201 F=0x0000 T=103 (#7)
>
> Is this people searchin for open windows host or are they just
> stray windows pakages from windows machines (eth1 is the external nic and
> xxx.xxx.xxx.xxx is an external IP, yyy.yyy.yyy.yyy is the firewall external
> IP)?
>
If the source port is also port 137 then it's a windows machine trying
to "talk" to another windows machine. If the source port is not 137
then it's usually a scan.
>
> 3. It seems the firwall logs both in /var/log/messages and /var/log/firewall.
> Is this normal? Can i prevent it ( i want the firewall entries just in
> /var/log/firewall) ? How?
>
Take a look at your syslog.conf
HTH,
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
