Need urgent help re: Firwall hits

[JoeyJoJoe]

I'm getting at least one hit on Firestarter (the firwall) every second, there have been thosands in less than 12 hours of uptime, I wouldn't be that bothered about ignoring them because they are being stopped but everytime it happens my cpu speed goes up to 1.5GHz (It's a centrino which veries depending on use but always used to just sit at 600MHz when not opening anything - and use a lot less power)

and there have been some which are classified as "serious"...

The bulk of them are on port 5353 with verying sources (but all close to my ip address) using protocol UDP on the service Mdns, I tried to look up hostname but for the most part I couldn't get anything, although I did get a couple which came from;
"dhcp-69.unregistered.(then the name of the people who do my internet)"



The Serious ones were very strange, coming from an ip address in my range (probably from my building) and were on verious ports 137-139 on the protocol UDP on the service Samba (SMB)... which seems to be some kind of windows thing. Some on port 80 using protocol TCP using service HTTP. There was also one which was on port 445 using TCP with the service "Microsoft-ds". This seems to be the behaviour of a worm (more info would be great if you could pin it down), is the other stuff connected to it?


Does anyone have any idea what I can/should do to stop this? I'd really appreciate any advice I could get. And would ideally like to not have to ring the people who provide my service

Thanks,

[William Haller]

You obviously can't stop the hits - a couple of items to look at - you might have a very large logfile that is being retained by firestarter - try erasing the log and see if it helps. Also, for the very popular 137-139, 445 type ports, you might consider not logging them at all - just block them and forget about them.

[JoeyJoJoe]

how can i set it block silently? would putting something into iptables do that without using an cpu power.

[William Haller]

I haven't used firestarter for awhile, but the website indicates you can tell it to ignore redundant hits or hits not directed to your firewall box. These will just affect what is being displayed in your firestarter window - they'll still get logged.

iptables does let you drop packets silently. You would have to go in and mess with the firestarter rules to do that unless the latest version has a right click option on the policy page item associated with the rule that lets you do that by now.

Does the CPU usage just go up when you have firestarter's GUI up or does the CPU usage go up with any hits? If just with the GUI, then leave the GUI off. Unless you tell firestarter to disable the firewall, any rules you have created don't go away if you stop firestarter, and you may find the system load is drastically reduced.

I recommend fwbuilder. It gives you a nice GUI for laying out your firewall and much more flexibility in configuration (particularly if you have multiple NICs). You don't get the nice active hits display - you have to look at the system logfile, but you have more control over your configuration.

[JoeyJoJoe]

Thats a lot better now, I set it to not log the events, hopefully it will be blocking it silently now, I had a detailed look through the manual (it's a shame there isn't a man page, but the online one is ok) I read and it seems that when you get a hit you can right click and say "disable events on port" which, apparently blocks them silently now (I hope)

It does seem like this is what I wanted pretty much, I'm not sure what to do about the serious events, I did consider trying to figure out exactly who it was who initiated them and trying to do something (I'm pretty sure it's this worm which is causing it http://en.wikipedia.org/wiki/Sasser_(computer_worm) and because I sometimes find it useful to run windows without a firewall it'd be better for me if this wasn't happening), but it does seem like a lot of effort...

anyway, thanks for the advice and the time,

-Joe