Guest Usenet Posted August 14, 2008 Posted August 14, 2008 I've swapped over a firewall this morning. The new brick has much more/better logging than the previous one. Our internal IP range is 10.x.x.x and I'm seeing loads of netbios tcp/udp traffic being blocked by the firewall that is for all manner of destinations i.e. 192.168.x.x, 172.22.100.x, 100.0.0.254 and so on. We don't use any of those ranges, and the DC is the only machine that is doing this. I've ran lots of virus scans and I believe I've ruled out any sort of trojan/infection etc. and if it were a "nasty" I don't think I'd be seeing so much for the 192.168.x.x ranges. Any suggestions on what on earth may be going on would be welcome. The machine is our PDC Emulator/FSMO master and is Windows 2003 R2 running on a HP DL360 G4 with PSP 8.x installed and the two NICs teamed. I have been running tcpview and have run several spyware/trojan/rootkit tools and they all come back clean. I'm convinced this is some function specific to the fact that it's a domain controller as the firewall would log anything else and we have too many desktops and servers here for me to think it's co-incidence that it's the DC. All the dropped requests are netbios-udp and nothing is netbios-tcp. Sample IP addresses are: 172.22.100.103 202.250.33.5 100.0.0.254 192.168.x.x Most of these IPs are either private, or come back as being reserved, which makes me suspect it's responding to broadcasts from bits of network kit such as switches that have been "dropped" into our network without having been configured away from the factory defaults. Questions is does that sound correct, and other than a lengthy tracking down process, is there any way around it?
Recommended Posts