What's happening behind my router?

First, here’s a brief summary of setup…

3 Computers behind a Linksys wireless router. Two are hard-wired, one is wireless. These computers are NOT networked other than sharing the router for an internet connection.

The Story…
My Comodod Firewall logs fill up on a daily basis with blocked packets from the other 2 computers that are behind the router. I’m not very knowledgeable on the subject so I don’t know if this party of packets is normal or if the other two machines are compromised in some way.

Here are a few tidbits from my logs…
Date/Time :2007-06-15 11:25:59Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.103:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 11:20:24Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.103:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 11:10:59Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.103:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 11:10:54Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbname(137))Protocol: UDP IncomingSource: 192.168.1.103:nbname(137) Destination: 192.168.1.255:nbname(137) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 11:09:33Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbname(137))Protocol: UDP IncomingSource: 192.168.1.103:nbname(137) Destination: 192.168.1.101:nbname(137) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 11:09:33Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.103:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 6

Date/Time :2007-06-15 00:26:36Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 192.168.1.103, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.103:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 6

This goes on all day and all night.

If this is not normal then…
Could the machines be compromised?
Could the other 2 machines be tweaked to prevent them from sending these packets?

If it is normal traffic then…
Would it be wise to edit rule number 6 to NOT log the events? If I do this then it I think Comodo will cease logging all blocked traffic. (I may be wrong though)

I’m not sure what action to take. All I know is I have to clear my firewall log daily or it becomes extremely bloated. It’s a real pain.

Thanks for any info or advice.

Mike

Hi Mike

This traffic is normal MS File Sharing traffic. It gives no indication that the other systems in your LAN have been compromised in any way.

I suspect that you have not set-up a Trusted Zone (Security - Tasks) that includes all PCs on your LAN (if you trust them) & your router’s LAN IP (if it has one).

I recommend that you look at our FAQ List. The FAQ List has links to loads of useful information at varying levels (from beginner to advanced).

I hope this helps, if not then please post again.

PS Do not alter, move or remove CFPs Final Block & Log rule (rule 6). It is a vital rule that stops unsolicited connection attempts.

PPS If you want to silently block the other PCs on your LAN, just create a rule (above your final block & log rule) that silently (no Log) blocks any incoming calls from the LAN IPs (you can probably specify a range of IPs).

Thanks for the reply Kail. That link should keep me busy for quite some time.

Just as a follow up to your post.

These other boxes do not need file sharing and should not be set up as such. I will look into that, and disable that option if that’s what is going on.

I do NOT trust these other boxes behind the router, so putting them in a trusted zone is…well…out of the question. Mainly because my 16 year old niece uses the wireless for her laptop. She has no interest in keeping her end secure. Even though I have the wireless encrypted and not broadcasting the SSID, I still consider her machine to be the biggest risk.

For now, it looks like the best solution is creating the rule that you suggested. I will do that immediately and hopefully the link you provided may reveal some other useful measures.

Thanks again…I DO appreciate it.

Mike

Hi Mike

Fair enough & understood. Since it is all UDP on nbname (port 137) & nbdgram (138) broadcast to 192.168.1.255 it looks like NetBIOS over TCP/IP. An active/connected “session” would use TCP nbsess (port 139). It is likely those other PCs are not using NetBIOS & you can remove it.