Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Log flooded with port 137 & 138 UDP

    Firewalling
    3
    12
    5957
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jim82 last edited by

      Dear community,

      My logs are being flooded with what seems to be broadcasts relating to NetBIOS traffic. I'm running a heavy Windows environment, so I suppose it's normal.

      I just wanted to check with you guru's if there is anything I have done wrong, or if I should just allow the traffic to pass through.

      My shares and Windows functionality seems to be in good shape(working).

      Basically I'm looking for an answer to what this broadcast is about? Is it normal or a misconfiguration?

      Please see attachments for log entry and system overview.

      EDIT:
      10.11.10.11 = DC1
      10.11.10.12 = DC2

      Thanks for any replies

      BR Jim



      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        What do you consider flooded?  Yeah windows machines will normally send traffic out on 137 and 138.. Take a sniff and look at the traffic..

        Example - just fired up computer browser service on my vm in my dmz, its like to send out this stuff..

        Not really anything you can do from reaching your other machines.  Pfsense is not going to route the traffic anywhere, so you can try to turn this sort of stuff of at the nodes or just tell pfsense not to log the noise.  Those are all to 138 udp.


        1 Reply Last reply Reply Quote 0
        • J
          jim82 last edited by

          Thanks for your reply, John.

          Can you explain how I stop the log from being spammed?

          It's quite a heavy amount of entries, see new attachment below.

          BR Jim


          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Can you explain how I stop the log from being spammed?

            This traffic is being caught by the Default Deny rule, which is set to log all blocks.  If you want to ignore this traffic, create a firewall rule to specifically block this traffic and set it to not log.  From then on, that traffic will be blocked but not logged.

            1 Reply Last reply Reply Quote 0
            • J
              jim82 last edited by

              Thanks KOM,

              Would attached be the correct way of doing this?

              BR Jim


              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                Looks OK to me.  Test it and see if your log entries disappear.

                1 Reply Last reply Reply Quote 0
                • J
                  jim82 last edited by

                  Thanks for your assistance :) Looks like that finally god rid of em.

                  BR Jim

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    where do you see that is the default deny rule?  He is not listing the rules.. So how do you know its default deny without seeing the rest of his rules.  Like I said pfsense is not going to forward that traffic anyway.  You must have the vlan really locked down if default deny is listing that.  Why don't you turn on so that you can see what rule is blocking - I thought that was the new default in 2.2.2?

                    I see those in my dmz because its locked down very tight..  But I just turn that shit off on the client, seeing it in the logs is a reminder that box is sending out noise and to turn it off at the source vs just hiding the noise from your logs doesn't mean the noise is not still there.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jim82 last edited by

                      To me it seems like it's NetBIOS traffic being sent from my 2 domain controllers to the VLAN10 broadcast. I guess they're polling for clients to index in the network browser.

                      My rules for VLAN10 are attached, any further input is greatly appreciated.

                      BR Jim


                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        How is your network browsing going to work when there are no clients on your server segment to list?  Like I said what is the point of just not logging the traffic.  Why don't you turn off the noise at the source dc1 and 2??  For the network browser to work there needs to be a master browser on each segment and 1 for the domain, etc.

                        Why don't you just turn off the ability for those machines to be master browser, etc.  Disable the computer browsing service, etc.

                        Did you sniff the traffic and look to what it was?  If you see what you think is lot of traffic and you don't really understand what it is - why would you not understand what it is before you just don't log it?  Could point to a misconfiguration on the machine that should be fixed and not really just ignored.

                        So when your check engine light comes on in your car, do you just put a piece of tap over the light?  Or do you look to see what is turning on the light?  Floods of traffic should be investigated and corrected not just ignored if you ask me.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jim82 last edited by

                          Hi John,

                          Thanks a lot for the insightful information. I have started to investigate the traffic now. Generally it is NetBIOS broadcasts which could be ignored or disabled, since NetBIOS can now be served over DNS in stead.

                          In regards to the "engine light" analogy, I completely agree! Sometimes one just requires a real world simple comparison of an otherwise more complex problem.

                          Have a nice day
                          BR Jim

                          1 Reply Last reply Reply Quote 0
                          • KOM
                            KOM last edited by

                            where do you see that is the default deny rule?  He is not listing the rules.. So how do you know its default deny without seeing the rest of his rules.

                            Educated guess.  Only his main LAN gets an auto-rule.  All others are empty.  He is blocking NETBIOS traffic without knowing what, where or why, which leads me to believe it's the default deny rule.  It doesn't take the Scooby Gang to figure that mystery out.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense Plus
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy