[CMKoehler]

Hello all,

I have been getting weird logs in my ipfw.log file, and I don't know why. They seem to come from the outside and to be related to netbios, but I cannot figure it out.

Here is a snippet. I am getting dozens a second.

Code:

Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.213.153:137 129.15.215.255:137 in via en1 Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.215.247:138 129.15.215.255:138 in via en1 Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.214.64:138 129.15.215.255:138 in via en1 Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.213.203:3926 255.255.255.255:712 in via en1 Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 169.254.167.31:137 169.254.255.255:137 in via en1 Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.214.130:138 129.15.215.255:138 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.214.130:137 129.15.215.255:137 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.213.220:137 129.15.215.255:137 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.192.143:137 169.254.255.255:137 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.215.108:1049 255.255.255.255:7100 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.146.228:138 169.254.255.255:138 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.213.94:138 129.15.215.255:138 in via en1 Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.252.17:138 169.254.255.255:138 in via en1

Weird thing is, almost all of those aren't even my IP address. I am on a public University network right now.

Thanks for your ideas!

[Majost]

The IPs that you're seeing are called broadcast IPs. They go to everyone in that subnet. For example: 129.15.215.255 goes to any computer with an IP of 129.15.215.xxx. Or 255.255.255.255 would theoretically be broadcast to everyone on the internet. Thing is, the internet has protection against their use since they are abused so terribly often by viruses and hackers looking for boxes.

What you're seeing, however, is most likely neither. You're getting computers scanning you for possible windows shares (ports 137-139) or iTunes shared music (port 3626). There are probably other services that will ping your computer as well, and they just aren't on the snippet that you listed. But, your firewall is catching these requests, and denying them - just like it should.

I wouldn't worry about it. Nobody is trying to hack your computer, nor are you especially targeted. It's just a side effect of being on a very large network. (I'm fairly certian that my uni has the broadcast IP disabled through their switches, but it's been a while since I've lived on campus).

[CMKoehler]

Thanks for the answer! I wasn't afraid I was being hacked.
How would I turn logging off on those particular packages without turning logging off anything else?
Or better, is there a disadvantage about logging all those in terms of log file size and performance decrease?

Thanks!

[Majost]

How are you setting up your firewall? Turning off the logging would depend upon how you have it set up.

I think that logging is off by default under the Mac OS X config of ipfw, but that may have changed with 10.4 - I don't own 10.4 so I can't check. If you're using Brickhouse or the command line tool straight up, it may be best just to post your ruleset, and then I could easily advise changes to turn it off.

As far as performance and log file size goes, you shouldn't see a performance hit for the log files... and the size really shouldn't get too exhorbanant. Mac OS X does a good job rotating these logs and keeping only the last two weeks or so worth of logs. If these two weeks' worth of logs are getting large, then you may want to turn it some of it off. I personally don't mind the size (it's really not that big), but I do mind that it's harder for me to see the real threats to my firewall. So, it's probably on that basis that you'd be interested in changing things. But that's just me.

[CMKoehler]

I agree with you. I am using Flying Buttress (new name for Brickhouse), but have no idea on how to post my ruleset. The one in FB seems to be too short, since the rule applied here is 55011, but it won't show in FB. How would I get it from the terminal?

[CMKoehler]

Ah google

Here it goes

Code:

01000 3227 502520 allow ip from any to any via lo* 01003 0 0 check-state 01005 57 50745 allow ip from any to any frag 01006 46 2576 allow icmp from any to any icmptypes 0,3,4,11,12,13,14 02000 1361 231785 allow ip from any to any via lo* 02000 0 0 allow udp from any 67-68 to any dst-port 67-68 via en0 02001 0 0 allow udp from any to 255.255.255.255 dst-port 67-68 via en0 02002 0 0 reject log ip from any to any ipoptions ssrr,lsrr via en0 02003 0 0 allow udp from any 123 to any dst-port 1024-65535,123 via en0 02004 0 0 allow udp from any 5353 to any dst-port 5353 via en0 02005 0 0 allow icmp from any to any via en0 02006 0 0 allow tcp from any 20-21 to any dst-port 1024-65535 in via en0 02007 0 0 allow udp from any to any dst-port 53 out via en0 keep-state 02010 0 0 deny ip from 127.0.0.0/8 to any in 02020 0 0 deny ip from any to 127.0.0.0/8 in 02030 0 0 deny ip from 224.0.0.0/3 to any in 02040 0 0 deny tcp from any to 224.0.0.0/3 in 02050 1911 338707 allow tcp from any to any out 02060 2357 947483 allow tcp from any to any established 02070 0 0 allow tcp from any to any dst-port 80 in 02080 0 0 allow tcp from any to any dst-port 427 in 02090 0 0 allow tcp from any to any dst-port 443 in 02100 0 0 allow tcp from any to any dst-port 139 in 05000 3240 1070096 allow udp from any 67-68 to any dst-port 67-68 via en1 05001 10 4011 allow udp from any to 255.255.255.255 dst-port 67-68 via en1 05002 0 0 reject log ip from any to any ipoptions ssrr,lsrr via en1 05003 0 0 allow udp from any 123 to any dst-port 1024-65535,123 via en1 05004 9536 2576179 allow udp from any 5353 to any dst-port 5353 via en1 05005 0 0 allow icmp from any to any via en1 05006 0 0 allow tcp from any 20-21 to any dst-port 1024-65535 in via en1 05007 86 12740 allow udp from any to any dst-port 53 out via en1 keep-state 05008 0 0 deny tcp from any to 192.168.13.3 dst-port 135-139,445 setup in via en1 05009 0 0 deny udp from any to 192.168.13.3 dst-port 135-139,445,65534,65535 in via en1 12190 1 48 deny tcp from any to any 20000 0 0 deny icmp from any to me in icmptypes 8 20310 0 0 allow udp from any to any dst-port 53 in 20320 2 656 allow udp from any to any dst-port 68 in 20321 0 0 allow udp from any 67 to me in 20322 0 0 allow udp from any 5353 to me in 20340 11562 952992 allow udp from any to any dst-port 137 in 20350 725 50628 allow udp from any to any dst-port 427 in 20360 573 90331 allow udp from any to any dst-port 631 in 20370 120 14356 allow udp from any to any dst-port 5353 in 22000 0 0 allow udp from any to any dst-port 137 in 22010 8088 1824871 allow udp from any to any dst-port 138 in 30510 124 18096 allow udp from me to any out keep-state 30520 0 0 allow udp from any to any in frag 35000 2793 544902 deny udp from any to any in 52008 0 0 allow ip from any to any out via en0 keep-state 52009 0 0 deny log ip from any to any in via en0 55010 3 96 allow ip from any to any out via en1 keep-state 55011 929 41076 deny log ip from any to any in via en1 65535 9 348 allow ip from any to any

The most general entry catches this, so I don't want to turn this one off, just add a new one I guess that doesn't log those connections.

Thanks!

[Majost]

Hm... I haven't used Brickhouse much so I don't know precisely how to change the rules through the program, but I can tell you what you're going to want to change.

You'll want to move rule 55011 to 55013, and add new rules 55011, 55012 that state:
55011 deny ip from 129.15.212.0/22 to any in
55012 deny ip from any to 169.254.0.0/16 in
[55013 deny log ip from any to any in via en1]

Now 55011 will simply deny any requests coming from within your university (I'm guessing on the subnet based on the numbers you gave. It matches 129.15.212-215.xxx. You can check it in Network Setup, I believe). This is trusting that you won't get any serious hack attempts (that you would want in your log) from within your campus.

The second rule will filter out attempts at contacting your computer on the 'self-assigned' block of IP addresses. You should have a good IP address from your college, and shouldn't have that kind of address. It's a silly 'feature' that computers that don't get IP addresses automatically set themselves to a random ip in that network. You could also reverse the from and to sections of this rule, and it should work about the same.

Now as far as how to tell Brickhouse (or Flame Thrower or whatever it's called) to implement that is not my area of expertise. Maybe someone else could help you there.

[CMKoehler]

Hm, I just uninstalled Brickhouse, and am trying to find the file that has all the rules in it. Can anyone help me out please?

[CMKoehler]

nevermind, it's a shell script since ipfw is a kernel module.
Thanks for all the help!