Firewall Log

I just installed a new Cisco RV042 Firewall and it has been working great.  However, today I looked at the security logs and I found a lot more in there that I thought there would be.  Can you tell me if there is anything that is dangerous?  Also, I noticed a lot on port 137 & 138, which I have read is NetBIOS.  Should I be blocking these port internally or should I just go around to all my desktops and servers and turn off NETBIOS?  This log is only from the last few minutes.  Thanks.
Log.txt
rlindbeckAsked:
Who is Participating?
 
davorinCommented:
Everything is fine. It is external IP address. I supose you have range of fixed IP addresses from 200 to 207 from run runner ISP. Web server mabe is not directly connected to router, but it is indirectly over some switch or something for sure. If you do not use some firewall to block ports to your web server (recommended), It would be nice to block them at least at web server firewall. leave open only ports you really need to be published (80, 443,...).
Which ports are open to internet you can test with shieldsup: http://www.grc.com/intro.htm
0
 
davorinCommented:
What you have there are NetBios broadcasts to 192.168.200.255 (whole LAN) - If you have network of Ms computers you need that for file sharing, printing, etc.
Most important is that these ports are blocked from/to internet.
0
 
rlindbeckAuthor Commented:
So should I allow ports 137 and 138 on the LAN?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Rick_O_ShayCommented:
It is normal to block any of the netbios related ports form going to the outside.
That is basically what the log is showing.
0
 
rlindbeckAuthor Commented:
So I should allow the LAN to send send port 137 & 138 at all LAN addresses?  Or should I just open all ports ont he LAN to the LAN?  Thanks.

Ryan
0
 
Rick_O_ShayCommented:
It is also dropping multicasts that are for local use which is also normal.
0
 
Rick_O_ShayCommented:
Yes, in a windows networking environment Microsoft uses it heavily so you will a lot of it on your internal LANs.
0
 
rlindbeckAuthor Commented:
So what the firewall is blocking is normal and I shoudl make no changes?
0
 
rlindbeckAuthor Commented:
OK, so is it common practice to have no blocking on the LAN to the LAN?  I should just open all ports within the LAN to the LAN but not the internet?
0
 
Rick_O_ShayCommented:
Inside is normally pretty much wide open unless you have a specific reason to block something.
0
 
davorinCommented:
Yes, you do not need to do anything if you are having only one LAN. Broadcast is sent to all clients in LAN - also to your router. If you chose to denie, drop or allow that packets on your router is for your clients mostly the same.
0
 
davorinCommented:
How many different subnets do you have?
0
 
rlindbeckAuthor Commented:
None.  We only have one.  There is one public wifi router.
0
 
rlindbeckAuthor Commented:
Dosen't it look like the router is blocking internal traffic?
0
 
davorinCommented:
No, it does not. For internal trafic it does not matter if the router is there or not.
This is because the router routes only between different networks (eg. internet and LAN).
192.168.200.255 is the network broadcast address - it acctually means that the packet is sent to all network adresses - from192.168.200.1 to 192.168.200.254 (if the subnet mask is 255.255.255.0). One of them is also the routers address. That is why it is loged in routers log.
Traffic between clients in the same network is direct - client to client.
0
 
rlindbeckAuthor Commented:
OK, so from my log would you say everything looks ok?  Thanks.

Ryan
0
 
davorinCommented:
Yes, it looks so.
Just for curiosity - this trafic is on external port of your router?
UDP 76.79.9.204:137->76.79.9.207:137
0
 
rlindbeckAuthor Commented:
76.79.9.204 is an ip address for our webserver which is not even plugged into this router and the 76.79.9.207 is unknown to me.  What do you think is happening there?  Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.