Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 11497 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default drop within Local Network

HansLiu

Hi,

I'm new to the community. 

After amount of time taken to configure Sophos UTM, I was unable to clear the last default drop in the firewall.

Firewall Log :

2016:03:18-13:48:36 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="50934" dstport="137" 
2016:03:18-13:48:36 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="55609" dstport="137" 
2016:03:18-13:48:47 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="37670" dstport="137" 
2016:03:18-13:48:47 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="54760" dstport="137" 
2016:03:18-13:48:57 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57991" dstport="137" 
2016:03:18-13:48:57 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="60448" dstport="137" 
2016:03:18-13:49:07 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="50687" dstport="137" 
2016:03:18-13:49:07 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="33548" dstport="137" 
2016:03:18-13:49:18 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="49614" dstport="137" 
2016:03:18-13:49:18 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="43013" dstport="137" 
2016:03:18-13:49:28 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="35584" dstport="137"

The IP, 192.168.0.2 = TP Link C2600 ( configure as access point)

Here's the fire rules I created.

Hope to hear from you soon.

Thank you



This thread was automatically locked due to age.
  • 0

    Hi, Hans, and welcome to the UTM Community!

    Only rules 2 and 5 have any effect - I would disable the other three rules just to prove to yourself that they aren't needed.

    The drops of UDP 137 (NETBIOS Name Service) have no effect as the UTM does not do NETBIOS.  If you can't configure the C2600 to stop sending those requests to the UTM, just make a firewall rule that drops 'Internal (Network) -> Windows Networking (NETBIOS) -> Internal (Address)' traffic.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi,

    I have change according your advise and it works.

    Thanks :D

  • 0 in reply to BAlfson

    the default drop of other packet appears after I disable all the rules besides 2,5 and the latest one. 

    2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="65.218.135.34" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="22975" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="119.17.26.160" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="38914" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="119.17.26.160" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="38914" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="119.17.26.160" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="38914" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="119.17.26.160" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="38914" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="119.17.26.160" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="38914" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="68.86.83.22" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="31068" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="68.86.83.22" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="31068" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="68.86.83.22" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="31068" dstport="53" 
2016:03:20-22:22:04 hans ulogd[4569]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="68.86.83.22" dstip="1.32.23.110" proto="17" length="78" tos="0x00" prec="0x00" ttl="250" srcport="31068" dstport="53"
  • 0 in reply to HansLiu

    These are packets originating outside your network, so that's a different issue.  It looks like these computers may be a botnet trying to attack you thinking that you have a public name server offering DNS.  You want these requests to be dropped.

    Cheers - Bob

  • 0 in reply to BAlfson

    Thank you for your advise,  I have leave other rules off.