Topic: Securety issue

[arcano]

making tcpdump on my inner card i found a result that i cant explain
.

19:04:12.237864 arp reply 149.49.32.134 is-at 00:40:0d:c0:5a:25
19:04:12.590337 arp reply 149.49.32.134 is-at 00:40:0d:c0:5b:89
19:04:12.767839 IP 149.49.32.134.1030 > 149.49.32.255.time: UDP, length 0
19:04:12.791362 arp reply 149.49.32.134 is-at 00:40:0d:c0:5a:d8
19:04:13.049484 arp reply 149.49.32.134 is-at 00:40:0d:c0:5a:5e
19:04:13.101156 NetBeui Packet
19:04:13.413000 IP 149.49.32.134.1030 > 149.49.32.255.time: UDP, length 0
19:04:14.006113 802.1d config 8000.00:40:0d:92:59:e5.800b root 8000.00:40:0d:92:59:e5 pathcost 0 age 0 max 20 hello 2 fdelay 15
19:04:14.087006 IP lpescolares.izt.iems.df.netbios-dgm > 192.168.8.255.netbios-dgm: NBT UDP PACKET(138)
19:04:14.087244 NetBeui Packet
19:04:14.087526 IP lpescolares.izt.iems.df.netbios-dgm > 192.168.8.255.netbios-dgm: NBT UDP PACKET(138)
19:04:14.087751 NetBeui Packet
19:04:15.176371 IP 149.49.32.134.1030 > 149.49.32.255.time: UDP, length 0
19:04:15.311390 arp reply 149.49.32.134 is-at 00:40:0d:c0:5b:66[/quote]

Any body can tell me what does these means? my inner network is a kind 192.168.1.0/24.

I need to manage iptables, but the guideness i found is very simple in the sintax of e-smith iptables configureation.

I did some changes but all the times i misconfigure it. where can i foun the explanation of each chain?

 thankx

Any body can tell me what does these means?

[mmccarn]

I agree - this looks very suspicious.
1. Why is there no "arp who-has" traffic?
2. Why are there so many "arp reply..." packets with the same IP address but different MAC addresses?

Unfortunately, I can't help as to why you're getting these packets.

I want to alert you, however, about the SME "templating" system - the iptables rules are controlled by /etc/rc.d/init.d/masq which is heavily templated -- any changes you make manually to iptables will disappear as soon as you reboot unless you find out how to re-apply your customizations at each reboot.

You can learn more about how SME generates /etc/rc.d/init.d/masq by looking at the template fragments in /etc/e-smith/templates/etc/rc.d/init.d/masq.

If you find a fragment that you want to modify, copy it to /etc/e-smith/templates-custom/etc/rc.d/init.d/masq and make your changes in the new "custom" copy; a fragment with the same name under "templates-custom" will override a fragment in "templates".

[arcano]

Controling all users is very dificult, i know a bit of iptables configuration nevertheless i cant get clearly the meaning of all chains, i already checkout those files and i had make the changes, but filtering some times by pass the template rules, that are very friendly for outsiders. I'm doing a new set of rules which default policy becames DROP, need to much workshop, but the problem is that any time i have to move, add or delete computers, i know those changes in somplace may afect the firewall config.

Is there, somewhere any source documentation on how SME firewall where designed? and where interact with other templates (ex: squid, apache, webdav...)?

If i foud it, i'll  publish and alternative fw_rules with drop default policy.

Thankx 4 check out;

All those that are admin a mid-network, have you ever check out your inner netcard with tcpdump or ethereal?, have you found this kind of registers?