From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GEAbP-0007JH-GB for garchives@archives.gentoo.org; Fri, 18 Aug 2006 20:05:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7IK3cYY012079; Fri, 18 Aug 2006 20:03:38 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7IK0afj024989 for ; Fri, 18 Aug 2006 20:00:37 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 515AB6466C for ; Fri, 18 Aug 2006 20:00:36 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26379-06 for ; Fri, 18 Aug 2006 20:00:29 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 5E46264665 for ; Fri, 18 Aug 2006 20:00:26 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1GEAVv-0008TK-Mc for gentoo-user@gentoo.org; Fri, 18 Aug 2006 22:00:19 +0200 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Aug 2006 22:00:19 +0200 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 18 Aug 2006 22:00:19 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] OT: A netbios-ssn blocking rule? Date: Fri, 18 Aug 2006 19:59:59 +0000 (UTC) Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060616) Sender: news X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-2.567 required=5.5 tests=[AWL=0.032, BAYES_00=-2.599] X-Spam-Score: -2.567 X-Spam-Level: X-Archives-Salt: 42afd255-2e1d-4a33-811a-67fa697c8a44 X-Archives-Hash: 000d29ddeac23bd304c0779cd2b803e4 Message-ID: <20060818195959.jUILNN3i-sGPxKTzApfUGO4ElFSks9xM96MZZV2dDoA@z> Hello, My iptables based firewall seem to be working, However, I keep getting triplets of this activity: Problem (2286 > netbios-ssn) source dest. proto info curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 Any ideas on a rule to drop these requests to my web server? similarly I see the same thing except the info section is slightly different: similar problem (2469 > microsoft-ds) rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 and the response from my firewall is simialr www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 Other problems are (info section is only difference) epmap > 3081 3081 > epmap Each of these appear in tripplets... and seem useless. Are they part of something stupidly done by microsoft? I think not because they occur quite frequently, almost systematcially, leading me to suspect they are part of nefarious activities? The only change is the port numbers (2286; 2469; 3081) and the source IP address change after each triplet of queries. Any ideas, information and iptables rules to silently drop these queries are most welcome. I see them all day long. James -- gentoo-user@gentoo.org mailing list