Thanks for the Reply. -----Original Message----- From: Ramin Alidousti [mailto:[EMAIL PROTECTED]] Sent: April 26, 2002 1:48 PM To: Stewart Thompson Cc: [EMAIL PROTECTED] Subject: Re: IGMP Packets - Addenum:
On Fri, Apr 26, 2002 at 01:25:20PM -0700, Stewart Thompson wrote: > Hi All: > > In reviewing my Firewall Logs, I see lots of IGMP dropped packets. > These are from recognized servers from my ISP, Name Servers etc. I have > been seeing lots of bad things about ICMP packets, and they seem to be > related. Does anyone have any comment regarding security risks associated > with IGMP packets? Any suggested rules? > > Stu........... > > > Here is a sample log entry for the above: > > What is 224.0.0.1 ? All Systems on this Subnet [RFC1112,JBP] Hmmm. I will have to read up on that one. I thought multicast was xxx.xxx.xxx.255 > > Apr 26 11:59:53 woodstock kernel: FW: IN=eth0 OUT= MAC= XX.XX.XX.XX.XX.XX > SRC=ISPDEFAULTGATEWAY DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 > ID=25148 PROTO=2 This is some kind of group management dialog. Now the question is what is it that your ISP's router is announcing? It could be IGMPv2 querying the subnet for members. That sounds like the most likely thing. It seems to be fairly regular. If you don't want to use multicast then I'd suggest you to drop 224/4. > > Also this one is weird. I don?t have a computer at IP 192.168.2.44: > > Apr 26 12:11:43 woodstock kernel: FW: IN= OUT=eth1 SRC=EXTIP > DST=192.168.2.44 LEN=251 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 > DPT=138 LEN=231 This one is a mirosoft thing (netbios-dgm 138/udp). Are you running samba? Ramin Yes I have Samba running on 3 Linux machines > > > Eth0=External Interface > Eth1=Internal Interface > Regards, Stu........
