This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stopin the log of netbios requests

I'm trying to stop Astaro from loging NetBIOS related packets from beiing loged (but they should still be dropped).

In order to do so, I created a new packet filter rule that does that drop netBIOS traffic, disable log. I also made sure the rule was enabled.

Alas, it doesn't seem to have the expected result: UDP 137/138 pakets are still loged.

What am I missing here ?

This thread was automatically locked due to age.

Parents

0 William Warren over 21 years ago

[ QUOTE ]
I'm trying to stop Astaro from loging NetBIOS related packets from beiing loged (but they should still be dropped).

In order to do so, I created a new packet filter rule that does that drop netBIOS traffic, disable log. I also made sure the rule was enabled.

Alas, it doesn't seem to have the expected result: UDP 137/138 pakets are still loged.

What am I missing here ?

[/ QUOTE ]
you ahve to point the drop rule towards an interface as a destination for hte dropping of netbios to not get logged
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to William Warren

You also need to drop netbios packets to the broadcast addresses.

On ASL 5, I've got a Service Group called 'Spam' with all 3 netbios services included, and then I have a Broadcasts group containing the broadcast IPs for each nic.
I also have the EXT IP in this group, but you should be careful with your PF rules if you're going to include that.

Then, you need a PF rule to drop
from Any - service Spam - dest Broadcasts

You can also add things like MSSQL_Monitor (slammer worm) to your Spam group.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 21 years ago in reply to William Warren

You also need to drop netbios packets to the broadcast addresses.

On ASL 5, I've got a Service Group called 'Spam' with all 3 netbios services included, and then I have a Broadcasts group containing the broadcast IPs for each nic.
I also have the EXT IP in this group, but you should be careful with your PF rules if you're going to include that.

Then, you need a PF rule to drop
from Any - service Spam - dest Broadcasts

You can also add things like MSSQL_Monitor (slammer worm) to your Spam group.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StephaneGROBETY over 21 years ago in reply to BarryG

Well, the rule I've created is rather simple: drop ANY ANY for UDP/TCP 135,137,138 (that's more than one rule, of course), no loging
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to StephaneGROBETY

I'm not sure about ASL 5, but previous versions won't match the Broadcast addresses with an ANY rule, so you will still see lots of netbios stuff in the logs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Gert Hansen over 21 years ago in reply to BarryG

Hi fulgan,

you need to create a rule

Any x Netbios x External Interface x Drop (dont log)

the difference is that the Any to Any rule gets only applied on packets that go through the firewall,
but not packets that are send to or from the firewall.

if either the source or the destination of a rule is an Interface IP or a Broadcast IP, than the rule gets handled as you want it to.

regards
gert
Cancel
Vote Up 0 Vote Down

Cancel
0 StephaneGROBETY over 21 years ago in reply to Gert Hansen

Makes sense, thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 synopex over 19 years ago in reply to StephaneGROBETY

hi,

also check exactly the log. netbios is src and dst port 137/138. on my firewalls i have connections from src port 1:65535 to 137/138. for this you must set also a rule!
Cancel
Vote Up 0 Vote Down

Cancel