Yes, you could do that, but why? You'd miss the log entries that help justify getting some of these jerks shut down. I'll take legal records over "clean logs" any day. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Peter J. Persing" <Peter@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 12, 2001 17:22 Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org Well, I'll take your word for it. I was of the understanding that if you disabled NetBIOS over tapir that those packets would be dropped by the interface, and would not get the opportunity to be identified by anything this side of the protocol stack. So, I will query you a query! If you enable allow packet filters for udp 137 and 138 then it sounds to me like these two errors should disappear from the dropped packet log, but since NetBIOS over TCP/IP is disabled on the external interface, no communication could possibly take place. Therefore you have eliminated the NetBIOS exposure, and are also keeping the log file cleaner by eliminating the logging of the dropped packet activity. Is that correct??? Pete On the Blackfoot River in the great state of Montana -----Original Message----- From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] Sent: Wednesday, September 12, 2001 5:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org just because a port is not configured to have a daemon listening on it, I believe a host still reads that packet.. In this case the packet was read, compared to filtering rules, and sent to dev/null had there not been a filter, there still would have been no connection possible. does that help clear things up? Jay -----Original Message----- From: Peter J. Persing [mailto:Peter@xxxxxxxxxxx] Sent: Wednesday, September 12, 2001 4:20 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org How did they even get through the external interface to get blocked if the network card was configured with NetBIOS over TCP/IP disabled?? Pete On the Blackfoot River in the great state of Montana -----Original Message----- From: Mark Strangways [mailto:strangconst@xxxxxxxx] Sent: Wednesday, September 12, 2001 5:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org Notice that they were blocked . But it did get me to check though :-) regards, Mark ----- Original Message ----- From: Peter J. <mailto:Peter@xxxxxxxxxxx> Persing To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 12, 2001 6:51 PM Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org <http://www.ISAserver.org> How can UDP 137/138 (NetBios name service/Datagram Service) get through if he has net bios over TCP/IP turned of on the external network interface as he should have. Pete On the Blackfoot River in the great state of Montana -----Original Message----- From: Mark Strangways [ mailto:strangconst@xxxxxxxx <mailto:strangconst@xxxxxxxx> ] Sent: Wednesday, September 12, 2001 3:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org Well, my ISP is @home. The ip in question isn't an @home based network ID. It belongs to the netblock of linklocal, but that's about all I can find out about it. Regards, Mark ----- Original Message ----- From: Jim <mailto:jim@xxxxxxxxxxxx> Harrison To: [ISAserver.org Discussion <mailto:isalist@xxxxxxxxxxxxx> List] Sent: Wednesday, September 12, 2001 5:22 PM Subject: [isalist] Re: Odd UDP ports blocked http://www.ISAserver.org <http://www.ISAserver.org> Someone on your ISP side of things has a Windows 98SE or higher OS that is using AIPA and is still trying to get an address from a DHCP server. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Mark Strangways <mailto:strangconst@xxxxxxxx> To: [ISAserver.org Discussion <mailto:isalist@xxxxxxxxxxxxx> List] Sent: Wednesday, September 12, 2001 13:08 Subject: [isalist] Odd UDP ports blocked http://www.ISAserver.org <http://www.ISAserver.org> Included below is a clip from my Packet filter log. I understand that is is NOT getting thru, but does anyone think I should be informing someone of the attack. Or am I just paranoid ? Thanks in advance for your responses Mark 2001-09-12 19:28:22 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:28:32 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:28:38 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:28:42 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:28:52 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:02 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:06 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:07 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:08 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:09 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:10 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:10 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:11 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:12 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:12 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:13 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:14 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED 24.43.154.219 2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:29:30 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:31:00 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED 24.43.154.219 2001-09-12 19:31:30 169.254.97.143 169.254.255.255 Udp 138 138 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: peter@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: peter@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jmobley@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: peter@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')