RE: [FW1] NT talking with NBNAME to whole world?

[Frank Knobbe <FKnobbe@FW1-NOSPAMKnobbeITS.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What you are seeing are most likely NetBIOS name lookups. NT will try
to resolve an IP address to a name using DNS, and if that fails,
NetBIOS. 

You're action was correct. Disable Accept Outgoing, set interface to
Eitherbound and create NBT drop/reject rules (i.e. Local-Net - Any -
NBT - Reject [I use reject against internal devices to speed to the
connection termination]). The NBT drop rule will also filter the
Explorer-type viruses that scan for open shares.

You should still review the hardening documents others pointed out.
At least disable every binding, except TCP/IP, on the external
interface (that includes disabling Workstation, Server, etc).

Regards,
Frank

> -----Original Message-----
> From: Ralf Guenthner [mailto:gue@zentric.com]
> Sent: Friday, October 13, 2000 7:28 AM
> 
> Another neat problem on an NT firewall system I "inherited": 
> I noticed after
> activating the logging for the standard drop rule that the 
> firewall system
> itself was talking Netbios nbname service to systems in 
> Argentina, USA asf.
> I stopped that by unchecking "Accept outgoing packets" and setting
> the interface direction to "eitherbound".  
> 
> My question is: Why would this system do that, has it 
> probably already been
> hacked? There were so many different sites it was doing the 
> nbname to I
> wonder what it means?

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOecvIURKym0LjhFcEQKYqwCgrwKsjow/UZPRnSpIEHhli018DJMAoJ35
e0UkvnLQu1XXx7cdbsJu3Lbz
=htYp
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================