Re: [cobalt-security] Why does PortSentry continue to log ports 137 and 138 even though I've told it not to?

["Stephen Rice" <support@xxxxxxxxxxxxxxxxxxxxxx>]

Gerald wrote:
> Dan wrote:
> > Thanks, but where is this "route" table? I've tried to
> > "locate" it but couldn't find it?
> try "man route" or just enter the command "route" (as root)


Gerald, your dedication to the cause of teaching Dan about the route command
is admirable :o) Unfortunately the problem is not really to do with the
routing, its that the firewall he's using is setting up ipchains to log
stuff it's denying.

ipchains is a system for managing ip connections to your machine, it
operates using a set (a chain) of rules you supply it with, and the firewall
script sets up these rules. ipchains takes each incoming or outgoing packet
and puts it through the rules in order, until it is denied or accepted or
whatever.

typing "ipchains -L" shows the ipchain rules that the firewall script has
been given, looking a bit like this:

target     prot opt     source                destination           ports
DENY       all  ----l-  192.168.0.1           anywhere              n/a

this ---------------^ indicates that if the rule triggers, it should record
that action to the system log.

ipchains rules are setup by commands like:

ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

where the -l on the end tells ipchains to log the rule triggering.

simply removing the -l from the appropriate rule stops this logging
happening, of course, you might want to read when the rule is triggering, in
which case you could set up a more specific rule earlier in the chain that
catches the connections to port 137 and 138, which denies them without
logging, as others on here have suggested.

For more information, try typing: man ipchains
Of course, if you haven't already read the manual page for route, that's a
useful thing to know about as well!

Cheers
Stephen