Default drop within Local Network

Question

Hi, 
 I'm new to the community. 
 After amount of time taken to configure Sophos UTM, I was unable to clear the last default drop in the firewall. 
 
 Firewall Log : 
 2016:03:18-13:48:36 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="50934" dstport="137" 
2016:03:18-13:48:36 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="55609" dstport="137" 
2016:03:18-13:48:47 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="37670" dstport="137" 
2016:03:18-13:48:47 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="54760" dstport="137" 
2016:03:18-13:48:57 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57991" dstport="137" 
2016:03:18-13:48:57 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="60448" dstport="137" 
2016:03:18-13:49:07 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="50687" dstport="137" 
2016:03:18-13:49:07 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="33548" dstport="137" 
2016:03:18-13:49:18 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="49614" dstport="137" 
2016:03:18-13:49:18 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="43013" dstport="137" 
2016:03:18-13:49:28 hans ulogd[4556]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="f4:f2:6d:37:b5:5e" dstmac="00:90:27:e0:01:38" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="35584" dstport="137" The IP, 192.168.0.2 = TP Link C2600 ( configure as access point) 
 Here's the fire rules I created.

Hope to hear from you soon. 
 
 Thank you

BAlfson · Accepted Answer

Hi, Hans, and welcome to the UTM Community! 
 Only rules 2 and 5 have any effect - I would disable the other three rules just to prove to yourself that they aren't needed. 
 The drops of UDP 137 (NETBIOS Name Service) have no effect as the UTM does not do NETBIOS. If you can't configure the C2600 to stop sending those requests to the UTM, just make a firewall rule that drops 'Internal (Network) -> Windows Networking (NETBIOS) -> Internal (Address)' traffic. 
 Cheers - Bob

BAlfson · Answer

These are packets originating outside your network, so that's a different issue. It looks like these computers may be a botnet trying to attack you thinking that you have a public name server offering DNS. You want these requests to be dropped. 
 Cheers - Bob