[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CSI (Security Policy) Help



On Sat, 31 Jan 2009, Frank Chiulli wrote:

> So I've implemented the CSI (Security Policy) as previously posted by Mike
> (http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singel/)
>
> Now I'm seeing the following messages in /var/log/messages:
> Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:16:01:41:10:5b:08:00 SRC=192.168.2.248
> DST=192.168.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=137 DPT=137 LEN=58
>
> Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:0e:3b:02:0e:b7:08:00 SRC=192.168.2.250
> DST=192.168.2.255 LEN=229 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=138 DPT=138 LEN=209
>
>
> 192.168.2.248 is a NAS device
> 192.168.2.250 is a Hawking print server
>
> I'm not an iptables expert.  Usually I just leave it alone.  Can
> someone help me write one or more rules to eliminate the messages?
>

I suspect that before you were blocking these messages but didn't notice.
You'll see the "DPT=137" and "DPT=138".  Those are both ports that the
various IP's are trying to hit on your machine.  If you check out those
ports in /etc/services

In this case those devices seem to be using netbios.  If you want to get
rid of them you can just remove the:

-A INPUT -j LOG --log-prefix "FW-REJECT "

Or setup netbios, or block the ports explicitly or allow it and let them
drop naturally.

	-Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]