Re: OT udp port 138 BROWSER traffic

• Previous message: gjrportier_at_home.nl: "Get Rich Legally & Qucikly!!!!.nws"
• In reply to:(deleted message) Brad Olin: "Re: OT udp port 138 BROWSER traffic"
• Next in thread: NeoSadist: "Re: OT udp port 138 BROWSER traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Dec 2003 17:45:30 -0500

On Tue, 30 Dec 2003 15:49:55 -0500, Brad Olin wrote:

> On Tue, 30 Dec 2003 15:19:40 -0500, Newsbox
> <newsbox@MAPS_ON_customers-of-adelphia.org> wrote:
>
>>So my question is, what kind of security risk, if any, does the NT
>>workstation run by having this BROWSER service running on a public
>>network? Is there ever a good reason or justification to run that
>>publicly, or is that not recommended? I'm just looking for some kind of
>>general frame of reference.
>>
>>
> There isn't really a risk to your linux firewall box, but there are
> potential problems with people outside the firewall looking at disk info
> that resides on windows boxes that are inside your firewall. The best
> policy is just to drop all ms browser traffic. The below netfilter rules
> will do the trick. Please know that you will need to adjust these if
> you want samba to work on the inside nic of your firewall.
>
>
> # drop all Microsoft peer-to-peer networking traffic /sbin/iptables -A
> INPUT -p udp --dport 137:138 -j DROP /sbin/iptables -A INPUT -p tcp
> --dport 139 -j DROP
>
>
>>Also while we are off topic, is there any reason to believe that this
>>kind of BROWSER broadcast would make a properly configured router
>>stumble? (It was a broadcast packet, 243 bytes long.) This is a Cisco
>>router but that is all I know about it. Is there a better or more
>>meaningful way to test, rather than using ping?
>>
>>
> Take a look at traceroute and nmap... there are lots of good tools and
> your question is a bit vague, so I'm uncertain how to best answer this
> one. Post again, with more specifics, if that's not what you were
> looking for.
>
>
> Brad
 
Thanks Brad,

I seldom power up a Windows OS any more, and it is even more rare that I
send or receive any public network traffic from them. I believe that at
some point I have gone into each Windows machine and disabled peer-to-peer
networking, but I would check that again before connecting, even behind
the Linux firewall, "just in case".

Thanks for the nice, specific firewall rules. - I always like to triple
check anything I do with iptables, because it always look to me as if it
might be easy to make a mistake if not careful. I have been using rules
that are based on the ones that the "Firestarter" script generated, with a
few extra rules added, and I have checked that all these rules are working
with several scanning services (grc.com and nessus, if I remember
correctly, among some others.) The ports 137-139 are properly closed
(stealthed") last time I checked, and I'll check again. Thanks very much.

The situation is frankly that I am kind of running out of time to be
patient with a very spotty (intermittent) dsl connection, and I'm at the
point of changing dsl providers. I have alternate dial-up service that
works fine, but uses up the Lady's voice line, naturally :( The dsl
issues extend from at least June, and I could say more, but won't.

It occurred to me that, like many other businesses today, they may be
short-handed and may not have the time or expertise to track all the
issues that are interfering with my connection at their end. And that if
I could tell them exactly what some of the causes of the problems at their
end specifically were, there would be a higher probability that they would
be quickly corrected.

To this end I have been periodically checking the connection between my
firewall/router and their gateway, which is a cisco router. This was all
going on before the major emergency Cisco router IOS upgrade the week of
July 15, 2003. This past week I began using Ethereal network traffic
analyzer to see if I could detect anything unusual happening at those
times that my traffic was being ignored. And I should say that this is
not a signal issue, and it is not at my end. What is actually happening is
the router (gateway) is simply ignoring my traffic, while occasionally
sending me traffic of its own at the same time.

It was never my intention to publicly embarass them, and still is not, and
that is probably why I was somewhat vague in my question. I apologize to
you for that. I have found some things that were happening concurrent
with the connection problems, that seemed so entirely wrong that even I as
a home user with no formal computer science training, had to know they
were wrong. That router was broadcasting ARP requests to find an IP
address that was in fact its own interface address, and that was causing
loss of ping replies. I told them and it appears to have stopped now.
There were ARP requests coming at me for 10.xxx.xxx.xxx addresses, and
that was causing the gateway router to ignore my traffic and stop
replying. I told them and it appears to have stopped now.

I am still losing traffic, as measured by ping, however I am also losing
apparently just about any kind of traffic that I happen to be sending when
their router develops some problem. That kind of problem seems to be
occurring when it gets a MS BROWSER announcement as I described. I know
that 10... addresses do not belong on a public network. But I do not know
if BROWSER announcements belong on the public network, or what the risks
might be to the individual(s) who are using those NT workstations. If
they are inadvertently exposing themselves to unwanted security risks by
running this service (if that's what it is called), and if that same
traffic is interfering with my connection, then maybe the best answer is
to just have them disable that service.

Another apparent hurdle is that the ISP doesn't want to acknowledge that
losing some ping replies is anything to be concerned about, and I would
have to agree, in principle. But they do respect the seriousness of
losing DNS. I have a script that I wrote that uses ping and writes a log
of each connection loss. If I knew how to do that same thing, but using
say DNS requests and replies they would be more willing to take the issue
seriously. I don't know how to do this with say DNS or some other, higher
priority protocol.

And I don't know serious a security issue it would be for a MS Windows NT
workstation user to be running BROWSER announcements and possibly be
unintentionally and unknowingly opening their computer to the public.
They might appreciate a "heads-up" and the chance to protect themselves.
Possibly?

This whole connection issue, one way or another, is not going to go on
very much longer. I work from home and I need a reliable connection. I
apologize again for being somewhat vague in my original post. And I thank
you very much for your kind and knowledgeable suggestions and offer of
help. It is truly appreciated.

Best wishes.

-- 
Remove the backwards _NO_SPAM for e-mail
	... Trying to cut down on the backwards NEWS virus mail
Thanks !!

• Previous message: gjrportier_at_home.nl: "Get Rich Legally & Qucikly!!!!.nws"
• In reply to:(deleted message) Brad Olin: "Re: OT udp port 138 BROWSER traffic"
• Next in thread: NeoSadist: "Re: OT udp port 138 BROWSER traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]