Re: Should I configure a firewall to allow multicast?

On Mon, 23 Mar 2009, in the Usenet newsgroup comp.security.firewalls, in article
<49c78ef7@xxxxxxxxxxxxx>, Dave wrote:

I'm using IP filter on a Sun workstation (IP 192.168.1.9) and see the
firewall is blocking various hosts to 192.168.1.255 port 138. Note
this machine is not a router, so really no machine on the network
should rely on this one even being running.

Let's have a look at the output of '/sbin/ifconfig -a' and
'/sbin/route -n'. This smells like a bit of confusion on your part
related to addresses used in IP.

Anyway, this is my ipfilter log, showing data from 192.168.1.101 (a
PC) port 138 and 192.168.1.128 (another PC) going to 192.168.1.255
(this is not any machine as such).

Are 192.168.1.101 and 192.168.1.128 running Samba, or windoze?
Both RFC0791 and RFC1122 were written long before "Classless
Inter-Domain Routing" (CIDR) (RFC1519), but this sounds like normal
_broadcast_ activity.

pass out quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
port = 137
pass in quick on eri0 proto udp from 192.168.1.0/24 to 192.168.1.255
port = 137

You're implying that /sbin/ifconfig and /sbin/route would show a local
network running from 192.168.1.0 through 192.168.1.255 which would
show up as a network mask of 255.255.255.0 or FFFFFF00. In that case,
192.168.1.0 would be the "network address" which in SOME operating
systems can also be used as a host address, and 192.168.1.255 os the
broadcast address - received by every host on the subnet. Broadcasts
are normally used when the sending system doesn't know the correct
address of the destination, or in packets destined for all systems.
This is quite normal.

So I'm not sure if it's best to allow these packets or stop them. If
its better to allow them, which is a suitable firewall rule for
ipfilter?

Is everything working OK? Are you simply worried that having packets
sent to this "unknown" (to you) address is/maybe harmful? I don't use
windoze or Samba, but understand that packets to the local broadcast
address are normal for that protocol.

Old guy
.

Relevant Pages

  • Re: pre-scanning for vulnerability scans?
    ... If by source, you're refering to the network you are testing from, you ... dictionary file for finding host names. ... full port SYN scan on detected hosts ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Using Remote Desktop From an SBS Domain
    ... It goes into detail about how to set the host computer up (the ... the port number you connect to from 80 to a port of your choice. ... machine is on a University network and has a public IP address assigned ... trying to logon to my SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: single host netmask (255.255.255.255)
    ... The routes from three interfaces, propagate via OSPF to the rest of network.... ... One way is to remember IP addresses assigned to each interfaces, but more smart solution is to assign to this machine one EXTERNAL LOOPBACK address (single IP with mask 255.255.255.255, in other words SINGLE HOST assigned to Microsoft loopback adapter), and propagate this address ... The address 255.255.255.255 denotes a broadcast on a local hardware network, ...
    (microsoft.public.win2000.networking)
  • RE: FW: Legal? Road Runner proactive scanning.[Scanned]
    ... port scan on TCP 25? ... If your host is on the internet I consider it public and knocking on ... Port scanning is not an attack it is probe. ... someone else's network without permission. ...
    (Security-Basics)
  • Re: internet ip addressing
    ... You need also a broadcast address making the minimum number to four. ... (some operating systems do not need the "network address" and can use ... it as a host address). ... What is normal in a point to point link is that the "client" end will ...
    (comp.os.linux.networking)