On Sat, Jan 18, 2003 at 02:27:58PM -0800, Curtis Hawthorne wrote: > Is this a bug in NetFilter (and has it been fixed?), or am > I doing something wrong? I don't like the idea of new > connections being allowed back through the firewall after a > certain kind of packet has been sent, so any help would be > greatly appreciated. It's doing what you asked it to. First you make an outgoing 'connection' (actually just a packet as it's UDP) from port 137 to port 137 on the target machine. ip_conntrack remembers this so as to let any replies in. Then the same machine makes a 'new connection' using the same ports and IPs, just in the other direction. Other than inspecting the actual data contents of the packets there's no way a firewall can tell the difference between a reply to your initial request within the ip_conntrack timeout, and a new request. Personally I just block ALL port 137/138/139 stuff OUTGOING as it's just too much of a risk IMO. It's so easy to (mis)configure a windows machine to go broadcasting NETBIOS all over the place. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00277.pgp
Description: PGP signature
