Firewall Seeing Port 137, 138 UDP Traffic

My local Linux PC firewall -- a new one called firestarter -- is
seeing port 137 and 138 traffic from another Windows computer on my
home LAN behind my home's firewall. I think that's normal Microsoft
broadcasts, right, checking out my Linux computer to update its
netbios routing? I shouldn't be worried and I can allow this kind of
traffic from my other Windows computer, right?

On 1 Aug 2004 09:33:45 -0700, Google Mike wrote:
> My local Linux PC firewall -- a new one called firestarter -- is
> seeing port 137 and 138 traffic from another Windows computer on my
> home LAN behind my home's firewall. I think that's normal Microsoft
> broadcasts, right,

Hmmm, yes unless the box is infected and sending out 137/138 probes to
find other boxes to infect.

On Sun, 01 Aug 2004, Bit Twister <(E-Mail Removed)> wrote:
> On 1 Aug 2004 09:33:45 -0700, Google Mike wrote:
>> My local Linux PC firewall -- a new one called firestarter -- is
>> seeing port 137 and 138 traffic from another Windows computer on my
>> home LAN behind my home's firewall. I think that's normal Microsoft
>> broadcasts, right,
>
> Hmmm, yes unless the box is infected and sending out 137/138 probes to
> find other boxes to infect.

But you should certainly drop (or not allow) any port 137-139 traffic to
or from the internet and drop any LAN broadcast traffic to internet.

--
David Efflandt - All spam ignored http://www.de-srv.com/

Bit Twister <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>.. .
> On 1 Aug 2004 09:33:45 -0700, Google Mike wrote:
> > My local Linux PC firewall -- a new one called firestarter -- is
> > seeing port 137 and 138 traffic from another Windows computer on my
> > home LAN behind my home's firewall. I think that's normal Microsoft
> > broadcasts, right,
>
> Hmmm, yes unless the box is infected and sending out 137/138 probes to
> find other boxes to infect.

Too hard to tell, I guess, isn't it? I used to service pack the junk
out of my home Windows systems. This was a big pain in the rear over
dial-up. (I live where only dial-up is possible.) However, ever since
I got the firewall, I just stick with the original W2K install and my
wife, who uses this PC, uses Mozilla Firefox and Mozilla Thunderbird,
and knows my file attachment policy, so I don't worry too much about
attacks. But even still, when I have this thing being chatty on 137
and 138 with my Linux box, which is normal Windows stuff, I cannot
scientifically rule out that it is not trying to do a probe infection.
If you have a test I could run that turns off normal 137/138 Windows
activity for a few moments, I could then see if it's still happening
and that would clue me into a virus.

(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> On Sun, 01 Aug 2004, Bit Twister <(E-Mail Removed)> wrote:
> > On 1 Aug 2004 09:33:45 -0700, Google Mike wrote:
> >> My local Linux PC firewall -- a new one called firestarter -- is
> >> seeing port 137 and 138 traffic from another Windows computer on my
> >> home LAN behind my home's firewall. I think that's normal Microsoft
> >> broadcasts, right,
> >
> > Hmmm, yes unless the box is infected and sending out 137/138 probes to
> > find other boxes to infect.
>
> But you should certainly drop (or not allow) any port 137-139 traffic to
> or from the internet and drop any LAN broadcast traffic to internet.

Yep. My firewall blocks stuff going out and coming in on these ports,
but I don't think I have a setting to stop traffic on my side of the
firewall for this activity. Besides, there are times at home when I
need port 137 and 138 traffic so that I can do file exchanges between
Windows and Linux.

On 3 Aug 2004 18:32:33 -0700, Google Mike wrote:

> If you have a test I could run that turns off normal 137/138 Windows
> activity for a few moments, I could then see if it's still happening
> and that would clue me into a virus.

That would be a windows questions for a windows newsgroup. 8-)

Here, http://www.blackviper.com/WIN2K/servicecfg.htm

Bit Twister <(E-Mail Removed)> wrote in message

> That would be a windows questions for a windows newsgroup. 8-)
>
> Here, http://www.blackviper.com/WIN2K/servicecfg.htm

Ah, yeah. So I forget. Thanks.