I have a rule to drop netbios and other broadcast traffic.
It is the first rule in PF rules.
Source Any, Service SPAM (group), Action DROP, Dest Broadcasts (group), nolog
SPAM svc group contains:
* Microsoft-SQL_Monitor
* netbios-dgm
* netbios-ns
* netbios-ssn
Broadcasts net group contains:
* External (Address)
* External (Broadcast)
* Internal (Broadcast) (192.168.11.255)
However, I am seeing NetBIOS broadcasts in the PF LiveLog and in /var/log/packetfilter.log
Also, I do not see any evidence of these rules in the "Current System Packet Filter Rules" (see below), or with iptables -L -n
De/Re-Activating the filter rule doesn't seem to have any effect.
In fact, comaring the output of iptables -L -n before and after disabling the rule shows there is no difference!
Thanks,
Barry
Code:
packetfilter.log:
2005:03:14-13:02:01 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:c1:51:49:08:00 SRC=192.168.11.13 DST=192.168.11.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59673 PROTO=UDP SPT=137 DPT=137 LEN=58
2005:03:14-13:02:01 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:c1:51:49:08:00 SRC=192.168.11.13 DST=192.168.11.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59689 PROTO=UDP SPT=137 DPT=137 LEN=58
2005:03:14-13:02:02 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:c1:51:49:08:00 SRC=192.168.11.13 DST=192.168.11.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59701 PROTO=UDP SPT=137 DPT=137 LEN=58
2005:03:14-13:02:13 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:f7:4c:e9:08:00 SRC=192.168.11.197 DST=192.168.11.255 LEN=231 TOS=0x00 PREC=0x00 TTL=128 ID=17686 PROTO=UDP SPT=138 DPT=138 LEN=211
[fw.x.net] Current System Packet Filter Rules:
Chain INPUT (policy DROP 40 packets, 2253 bytes)
pkts bytes target prot opt in out source destination
829K 1020M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
62456 5098K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
177K 57M SPOOFING_PROTECTION all -- * * 0.0.0.0/0 0.0.0.0/0
177K 57M HA all -- * * 0.0.0.0/0 0.0.0.0/0
177K 57M SANITY_CHECKS all -- * * 0.0.0.0/0 0.0.0.0/0
177K 57M AUTO_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
174K 56M USR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
170K 55M LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7015K 3403M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1193K 74M SPOOFING_PROTECTION all -- * * 0.0.0.0/0 0.0.0.0/0
1193K 74M SANITY_CHECKS all -- * * 0.0.0.0/0 0.0.0.0/0
1193K 74M AUTO_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
1193K 74M USR_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
55 2604 LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
829K 1020M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
72387 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1823 132K HA all -- * * 0.0.0.0/0 0.0.0.0/0
1823 132K SANITY_CHECKS all -- * * 0.0.0.0/0 0.0.0.0/0
1823 132K AUTO_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
5 443 USR_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
5 443 LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain AUTO_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain AUTO_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:22
0 0 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:22
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443
0 0 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 255.255.255.255 tcp spt:68 dpt:67
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
0 0 ACCEPT tcp -- eth0 * 192.168.11.0/24 192.168.11.1 tcp spt:68 dpt:67
0 0 ACCEPT udp -- eth0 * 192.168.11.0/24 192.168.11.1 udp spt:68 dpt:67
0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 255.255.255.255 tcp spt:68 dpt:67
0 0 ACCEPT udp -- wlan0 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
0 0 ACCEPT tcp -- wlan0 * 192.168.211.0/24 192.168.211.1 tcp spt:68 dpt:67
0 0 ACCEPT udp -- wlan0 * 192.168.211.0/24 192.168.211.1 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * * 192.168.211.0/24 0.0.0.0/0 tcp spts:53:65535 dpt:53
0 0 ACCEPT udp -- * * 192.168.211.0/24 0.0.0.0/0 udp spts:53:65535 dpt:53
0 0 ACCEPT tcp -- * * 192.168.11.0/24 0.0.0.0/0 tcp spts:53:65535 dpt:53
0 0 ACCEPT udp -- * * 192.168.11.0/24 0.0.0.0/0 udp spts:53:65535 dpt:53
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:53:65535 dpt:53
0 0 ACCEPT udp -- * * 10.0.0.10 0.0.0.0/0 udp spts:53:65535 dpt:53
2 176 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:33000:34000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:113
0 0 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:25
0 0 ACCEPT tcp -- * * 192.168.11.0/24 0.0.0.0/0 tcp spts:1:65535 dpt:1080
Chain AUTO_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * eth0 192.168.11.1 255.255.255.255 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * eth0 192.168.11.1 255.255.255.255 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * eth0 192.168.11.1 192.168.11.0/24 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * eth0 192.168.11.1 192.168.11.0/24 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * wlan0 192.168.211.1 255.255.255.255 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * wlan0 192.168.211.1 255.255.255.255 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * wlan0 192.168.211.1 192.168.211.0/24 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * wlan0 192.168.211.1 192.168.211.0/24 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 24.52.223.219 tcp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT udp -- * * 0.0.0.0/0 24.52.223.219 udp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.2.2.1 tcp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT udp -- * * 0.0.0.0/0 4.2.2.1 udp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT tcp -- * * 0.0.0.0/0 24.52.223.218 tcp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT udp -- * * 0.0.0.0/0 24.52.223.218 udp spts:53:65535 dpt:53 OWNER CMD match named
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 OWNER CMD match squidf
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 OWNER CMD match squidf
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 OWNER CMD match squidf
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8080 OWNER CMD match squidf
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:389 OWNER CMD match squidf
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:33000:34000
0 0 ACCEPT udp -- * * 0.0.0.0/0 128.118.25.3 udp spts:1024:65535 dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:25 OWNER CMD match exim
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1:65535 OWNER CMD match sockd
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:1:65535 OWNER CMD match sockd
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:33000:34000 OWNER CMD match netselect
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:80 OWNER CMD match aus
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:443 OWNER CMD match aus
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:80 OWNER CMD match pattern_aus
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:443 OWNER CMD match pattern_aus
Chain HA (2 references)
pkts bytes target prot opt in out source destination
Chain LOGACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `ACCEPT: '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGDROP (6 references)
pkts bytes target prot opt in out source destination
170K 55M LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `DROP: '
170K 55M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGREJECT (1 references)
pkts bytes target prot opt in out source destination
1 60 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `REJECT: '
1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain USR_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.11.200 0.0.0.0/0
0 0 LOGACCEPT tcp -- * * 12.194.192.0/18 192.168.11.200 tcp spts:1:65535 dpt:69
0 0 LOGACCEPT udp -- * * 12.194.192.0/18 192.168.11.200 udp spts:1:65535 dpt:69
0 0 ACCEPT all -- * * 192.168.211.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:119
561 34769 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1:65535 dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4661
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:4665
33 1608 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:6881:6889
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:6881:6889
0 0 ACCEPT tcp -- * * 192.168.11.0/24 0.0.0.0/0 tcp spt:5900 dpts:1024:65535
0 0 ACCEPT udp -- * * 192.168.11.0/24 0.0.0.0/0 udp spts:1024:65535 dpts:27015:27016
2 89 ACCEPT all -- * * 192.168.11.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpts:20:21
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:81
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:443
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpts:8081:8088
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:8090
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:8080
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:80
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:8085
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1:65535 dpt:25
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:37
0 0 ACCEPT udp -- * * 10.0.0.10 0.0.0.0/0 udp spts:1024:65535 dpt:37
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:43
0 0 ACCEPT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1:65535 dpt:53
0 0 ACCEPT udp -- * * 10.0.0.10 0.0.0.0/0 udp spts:1:65535 dpt:53
0 0 LOGREJECT tcp -- * * 10.0.0.10 0.0.0.0/0 tcp spts:1024:65535 dpt:113
0 0 ACCEPT udp -- * * 10.0.0.10 0.0.0.0/0 udp spts:1024:65535 dpts:33000:34000
0 0 ACCEPT icmp -- * * 10.0.0.10 0.0.0.0/0 icmp type 8 code 0
Chain USR_INPUT (1 references)
pkts bytes target prot opt in out source destination
526 173K DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
Chain USR_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain SPOOF_DROP (9 references)
pkts bytes target prot opt in out source destination
2 126 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `IP-SPOOFING DROP: '
2 126 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SPOOFING_PROTECTION (2 references)
pkts bytes target prot opt in out source destination
0 0 SPOOF_DROP all -- eth0 * 192.168.11.1 0.0.0.0/0
0 0 SPOOF_DROP all -- eth0 * 10.0.0.0/24 0.0.0.0/0
0 0 SPOOF_DROP all -- eth0 * x.x.208.0/20 0.0.0.0/0
0 0 SPOOF_DROP all -- eth2 * 10.0.0.254 0.0.0.0/0
0 0 SPOOF_DROP all -- eth2 * 192.168.11.0/24 0.0.0.0/0
0 0 SPOOF_DROP all -- eth2 * x.x.208.0/20 0.0.0.0/0
0 0 SPOOF_DROP all -- eth1 * x.x.221.142 0.0.0.0/0
0 0 SPOOF_DROP all -- eth1 * 192.168.11.0/24 0.0.0.0/0
0 0 SPOOF_DROP all -- eth1 * 10.0.0.0/24 0.0.0.0/0
Chain STRICT_TCP_STATE (0 references)
pkts bytes target prot opt in out source destination
Chain SANITY_CHECKS (3 references)
pkts bytes target prot opt in out source destination
Chain INVALID_PKT (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `INVALID_PKT: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
This thread was automatically locked due to age.
