Member
Join Date: Nov 2005
|
Hello all,
I have been getting weird logs in my ipfw.log file, and I don't know why. They seem to come from the outside and to be related to netbios, but I cannot figure it out. Here is a snippet. I am getting dozens a second. Code:
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.213.153:137 129.15.215.255:137 in via en1
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.215.247:138 129.15.215.255:138 in via en1
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.214.64:138 129.15.215.255:138 in via en1
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.213.203:3926 255.255.255.255:712 in via en1
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 169.254.167.31:137 169.254.255.255:137 in via en1
Feb 1 13:45:25 iBook ipfw: 55011 Deny UDP 129.15.214.130:138 129.15.215.255:138 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.214.130:137 129.15.215.255:137 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.213.220:137 129.15.215.255:137 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.192.143:137 169.254.255.255:137 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.215.108:1049 255.255.255.255:7100 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.146.228:138 169.254.255.255:138 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 129.15.213.94:138 129.15.215.255:138 in via en1
Feb 1 13:45:26 iBook ipfw: 55011 Deny UDP 169.254.252.17:138 169.254.255.255:138 in via en1 Weird thing is, almost all of those aren't even my IP address. I am on a public University network right now.Thanks for your ideas! |
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
The IPs that you're seeing are called broadcast IPs. They go to everyone in that subnet. For example: 129.15.215.255 goes to any computer with an IP of 129.15.215.xxx. Or 255.255.255.255 would theoretically be broadcast to everyone on the internet. Thing is, the internet has protection against their use since they are abused so terribly often by viruses and hackers looking for boxes.
What you're seeing, however, is most likely neither. You're getting computers scanning you for possible windows shares (ports 137-139) or iTunes shared music (port 3626). There are probably other services that will ping your computer as well, and they just aren't on the snippet that you listed. But, your firewall is catching these requests, and denying them - just like it should. I wouldn't worry about it. Nobody is trying to hack your computer, nor are you especially targeted. It's just a side effect of being on a very large network. (I'm fairly certian that my uni has the broadcast IP disabled through their switches, but it's been a while since I've lived on campus). |
quote |
Member
Join Date: Nov 2005
|
Thanks for the answer! I wasn't afraid I was being hacked.
How would I turn logging off on those particular packages without turning logging off anything else? Or better, is there a disadvantage about logging all those in terms of log file size and performance decrease? Thanks! |
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
How are you setting up your firewall? Turning off the logging would depend upon how you have it set up.
I think that logging is off by default under the Mac OS X config of ipfw, but that may have changed with 10.4 - I don't own 10.4 so I can't check. If you're using Brickhouse or the command line tool straight up, it may be best just to post your ruleset, and then I could easily advise changes to turn it off. As far as performance and log file size goes, you shouldn't see a performance hit for the log files... and the size really shouldn't get too exhorbanant. Mac OS X does a good job rotating these logs and keeping only the last two weeks or so worth of logs. If these two weeks' worth of logs are getting large, then you may want to turn it some of it off. I personally don't mind the size (it's really not that big), but I do mind that it's harder for me to see the real threats to my firewall. So, it's probably on that basis that you'd be interested in changing things. But that's just me. |
quote |
Member
Join Date: Nov 2005
|
I agree with you. I am using Flying Buttress (new name for Brickhouse), but have no idea on how to post my ruleset. The one in FB seems to be too short, since the rule applied here is 55011, but it won't show in FB. How would I get it from the terminal?
|
quote |
Member
Join Date: Nov 2005
|
Ah google
Here it goes Code:
01000 3227 502520 allow ip from any to any via lo*
01003 0 0 check-state
01005 57 50745 allow ip from any to any frag
01006 46 2576 allow icmp from any to any icmptypes 0,3,4,11,12,13,14
02000 1361 231785 allow ip from any to any via lo*
02000 0 0 allow udp from any 67-68 to any dst-port 67-68 via en0
02001 0 0 allow udp from any to 255.255.255.255 dst-port 67-68 via en0
02002 0 0 reject log ip from any to any ipoptions ssrr,lsrr via en0
02003 0 0 allow udp from any 123 to any dst-port 1024-65535,123 via en0
02004 0 0 allow udp from any 5353 to any dst-port 5353 via en0
02005 0 0 allow icmp from any to any via en0
02006 0 0 allow tcp from any 20-21 to any dst-port 1024-65535 in via en0
02007 0 0 allow udp from any to any dst-port 53 out via en0 keep-state
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 1911 338707 allow tcp from any to any out
02060 2357 947483 allow tcp from any to any established
02070 0 0 allow tcp from any to any dst-port 80 in
02080 0 0 allow tcp from any to any dst-port 427 in
02090 0 0 allow tcp from any to any dst-port 443 in
02100 0 0 allow tcp from any to any dst-port 139 in
05000 3240 1070096 allow udp from any 67-68 to any dst-port 67-68 via en1
05001 10 4011 allow udp from any to 255.255.255.255 dst-port 67-68 via en1
05002 0 0 reject log ip from any to any ipoptions ssrr,lsrr via en1
05003 0 0 allow udp from any 123 to any dst-port 1024-65535,123 via en1
05004 9536 2576179 allow udp from any 5353 to any dst-port 5353 via en1
05005 0 0 allow icmp from any to any via en1
05006 0 0 allow tcp from any 20-21 to any dst-port 1024-65535 in via en1
05007 86 12740 allow udp from any to any dst-port 53 out via en1 keep-state
05008 0 0 deny tcp from any to 192.168.13.3 dst-port 135-139,445 setup in via en1
05009 0 0 deny udp from any to 192.168.13.3 dst-port 135-139,445,65534,65535 in via en1
12190 1 48 deny tcp from any to any
20000 0 0 deny icmp from any to me in icmptypes 8
20310 0 0 allow udp from any to any dst-port 53 in
20320 2 656 allow udp from any to any dst-port 68 in
20321 0 0 allow udp from any 67 to me in
20322 0 0 allow udp from any 5353 to me in
20340 11562 952992 allow udp from any to any dst-port 137 in
20350 725 50628 allow udp from any to any dst-port 427 in
20360 573 90331 allow udp from any to any dst-port 631 in
20370 120 14356 allow udp from any to any dst-port 5353 in
22000 0 0 allow udp from any to any dst-port 137 in
22010 8088 1824871 allow udp from any to any dst-port 138 in
30510 124 18096 allow udp from me to any out keep-state
30520 0 0 allow udp from any to any in frag
35000 2793 544902 deny udp from any to any in
52008 0 0 allow ip from any to any out via en0 keep-state
52009 0 0 deny log ip from any to any in via en0
55010 3 96 allow ip from any to any out via en1 keep-state
55011 929 41076 deny log ip from any to any in via en1
65535 9 348 allow ip from any to any The most general entry catches this, so I don't want to turn this one off, just add a new one I guess that doesn't log those connections.Thanks! |
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
Hm... I haven't used Brickhouse much so I don't know precisely how to change the rules through the program, but I can tell you what you're going to want to change.
You'll want to move rule 55011 to 55013, and add new rules 55011, 55012 that state: 55011 deny ip from 129.15.212.0/22 to any in 55012 deny ip from any to 169.254.0.0/16 in [55013 deny log ip from any to any in via en1] Now 55011 will simply deny any requests coming from within your university (I'm guessing on the subnet based on the numbers you gave. It matches 129.15.212-215.xxx. You can check it in Network Setup, I believe). This is trusting that you won't get any serious hack attempts (that you would want in your log) from within your campus. The second rule will filter out attempts at contacting your computer on the 'self-assigned' block of IP addresses. You should have a good IP address from your college, and shouldn't have that kind of address. It's a silly 'feature' that computers that don't get IP addresses automatically set themselves to a random ip in that network. You could also reverse the from and to sections of this rule, and it should work about the same. Now as far as how to tell Brickhouse (or Flame Thrower or whatever it's called) to implement that is not my area of expertise. Maybe someone else could help you there. |
quote |
Member
Join Date: Nov 2005
|
Hm, I just uninstalled Brickhouse, and am trying to find the file that has all the rules in it. Can anyone help me out please?
|
quote |
Member
Join Date: Nov 2005
|
nevermind, it's a shell script since ipfw is a kernel module.
Thanks for all the help! |
quote |
Posting Rules | Navigation |
|
Thread Tools | |