Re: Should I configure a firewall to allow multicast?



On Mon, 23 Mar 2009, in the Usenet newsgroup comp.security.firewalls, in article
<49c78ef7@xxxxxxxxxxxxx>, Dave wrote:

I'm using IP filter on a Sun workstation (IP 192.168.1.9) and see the
firewall is blocking various hosts to 192.168.1.255 port 138. Note
this machine is not a router, so really no machine on the network
should rely on this one even being running.

Let's have a look at the output of '/sbin/ifconfig -a' and
'/sbin/route -n'. This smells like a bit of confusion on your part
related to addresses used in IP.

Anyway, this is my ipfilter log, showing data from 192.168.1.101 (a
PC) port 138 and 192.168.1.128 (another PC) going to 192.168.1.255
(this is not any machine as such).

Are 192.168.1.101 and 192.168.1.128 running Samba, or windoze?
Both RFC0791 and RFC1122 were written long before "Classless
Inter-Domain Routing" (CIDR) (RFC1519), but this sounds like normal
_broadcast_ activity.

pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
port = 137
pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
port = 137

You're implying that /sbin/ifconfig and /sbin/route would show a local
network running from 192.168.1.0 through 192.168.1.255 which would
show up as a network mask of 255.255.255.0 or FFFFFF00. In that case,
192.168.1.0 would be the "network address" which in SOME operating
systems can also be used as a host address, and 192.168.1.255 os the
broadcast address - received by every host on the subnet. Broadcasts
are normally used when the sending system doesn't know the correct
address of the destination, or in packets destined for all systems.
This is quite normal.

So I'm not sure if it's best to allow these packets or stop them. If
its better to allow them, which is a suitable firewall rule for
ipfilter?

Is everything working OK? Are you simply worried that having packets
sent to this "unknown" (to you) address is/maybe harmful? I don't use
windoze or Samba, but understand that packets to the local broadcast
address are normal for that protocol.

Old guy
.



Relevant Pages

  • Re: pre-scanning for vulnerability scans?
    ... If by source, you're refering to the network you are testing from, you ... dictionary file for finding host names. ... full port SYN scan on detected hosts ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Using Remote Desktop From an SBS Domain
    ... It goes into detail about how to set the host computer up (the ... the port number you connect to from 80 to a port of your choice. ... machine is on a University network and has a public IP address assigned ... trying to logon to my SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: abnormal (excessive) number of arp requests on subnet?
    ... The title also applies to network design/operation. ... Though with the switches, you'll have to do some thinking about where ... A separate box attached to the monitor port on ... and how does that traffic get from Host A to Host N or what-ever. ...
    (comp.os.linux.networking)
  • Re: single host netmask (255.255.255.255)
    ... The routes from three interfaces, propagate via OSPF to the rest of network.... ... One way is to remember IP addresses assigned to each interfaces, but more smart solution is to assign to this machine one EXTERNAL LOOPBACK address (single IP with mask 255.255.255.255, in other words SINGLE HOST assigned to Microsoft loopback adapter), and propagate this address ... The address 255.255.255.255 denotes a broadcast on a local hardware network, ...
    (microsoft.public.win2000.networking)
  • Re: Dealing with a network knowledge troll!
    ... *anywhere* is reserved for being a broadcast IP. ... Depends on the network mask, ... x.y.z.255 addresses were "normal" host addresses (only a broadcast ...
    (comp.os.linux.networking)