Keep in mind that filtering packets prevents those packets from being passed
to other interfaces or networks, but doesn't mean the interface receiving
them never sees them. How would it filter packets if it didn't evaluate them
first? As long as the NetBIOS release messages you're seeing are only
getting to that interface and no further, I'd say your filters are working
as expected. Does this make sense?

Laura A. Robinson
Technical Instructor/Consultant
MCT, MCSE, CLI, PCLP
IntelliMark Pennsylvania Division
http://www.intellimark-it.com
lrobinsonintellimark-it.com
----- Original Message -----
From: "Rich Wilson" <wk633yahoo.com>
To: "Ben Jolly" <Ben.Jollyneonsys.com>; <focus-mssecurityfocus.com>
Sent: Tuesday, July 03, 2001 6:55 PM
Subject: RE: NetBT release messages

> DOH!
>
> Thanks (and to Laura, and a few others who replied privately).
>
> It still doesn't answer my questions ('problems') but it does 'solve' the
> problem, which is good enough for me right now. The messages are being
> generated by other machines (not the one generating the Event), so I'm
still a
> bit worried as to how they are getting through my IPSec filters. I guess
MS
> thinks our Computing Experience will be better if some things are left a
> mystery :-)
>
> --- Ben Jolly <Ben.Jollyneonsys.com> wrote:
> > Disable NetBIOS on the External Interface. If you are just Blocking
NetBIOS
> > than NetBIOS is still active on that interface. Go to the Properties of
the
> > connection Internet Protocol Properties Advanced Wins select Disable
NetBIOS
> > over TCP/IP.
> >
> >
> >
> > -----Original Message-----
> > From: Rich Wilson [mailto:wk633yahoo.com]
> > Sent: Friday, June 29, 2001 5:21 PM
> > To: focus-mssecurityfocus.com
> > Subject: NetBT release messages
> >
> >
> > I have a problem that's driving me batty.
> >
> > I have a dual-hostsed server, internal network is 172.16.1.0, external
is
> > 192.168.1.0 (all behind a corporate FW). The server has ipsec rules
applied
> > for port filtering. There's a default deny everything rule, a rule that
> > allows
> > anything from 172.16.1.0, an HTTP rule (allow TCP from any to my address
on
> > 80)
> > an SMTP client rule (allow TCP from me to any on 25) and a DNS client
rule
> > (allow TCP/UDP from me to any on 53).
> >
> > The server is getting NetBT release messages from other machines on the
> > 192.168.1.0 network, and generating Event ID 4320. The IP in the data
of
> > the
> > event always points to a 192.168.1.0 machine. The machines generating
the
> > release messages don't have access to the 172.16.1.0 network.
> >
> > Problem 1 is why other machines are generating these? I've been through
all
> > the 'normal' reasons for this (searching http://www.eventid.net and
> > http://support.microsoft.com/support/kb/articles/Q120/7/52.asp) but I
can't
> > see
> > any duplicate names anywhere. I've heard having a workgroup name and
system
> > name the same will cause this, I don't have that.
> >
> > Problem 2 is how these messages are getting past IPSec. They appear
even if
> > I
> > have a specific rule to block UDP on ports 137, 138 and 139. I went so
far
> > as
> > to write a client/server to send simple UDP packets to make sure IPSec
was
> > working, and it is in fact blocking.
> >
> > Anybody run accross something like this before? I am using Win2K
server,
> > SP2.
> >
> >
> > =====
> > : __o
> > : -\<,
> > : 0/ 0
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> > http://personal.mail.yahoo.com/
>
>
> =====
> : __o
> : -\<,
> : 0/ 0
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]