Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » port scan to 255.255.255.255???
  •  
KCAP

Messages: 94
Karma: 2
Send a private message to this user
Hi
I installed the firewall 6.0.9 (upgraded from 4)
Looks like everiting is working, i only get a lot of warnings for portscans, from inside our office:

14/Mar/2005 22:44:25] Port Scan: protocol:UDP, source: 192.168.47.89, destination: 255.255.255.255, ports: 28695, 28951, 29207, 29463, 6000, 6001, 6002, 6003, 6004, 6005, ...
[14/Mar/2005 22:44:40] Port Scan: protocol:UDP, source: 192.168.47.72, destination: 255.255.255.255, ports: 28695, 28951, 29207, 29463, 29719, 29975, 30231, 30487, 30743, 30999, ...
[14/Mar/2005 22:44:51] Port Scan: protocol:UDP, source: 192.168.47.89, destination: 255.255.255.255, ports: 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009, ...

Whats all this???
it is scanning to 255.255.255.255

Is this important, and if not how to ignore it for logging?

Thankx

Teun
KCAP

Teun
KCAP [NL]
  •  
wiper

Messages: 112
Karma: -1
Send a private message to this user
its broadcast and means "to all" the router does not forward it by default.

/W
  •  
KCAP

Messages: 94
Karma: 2
Send a private message to this user
wiper wrote on Tue, 15 March 2005 16:43

its broadcast and means "to all" the router does not forward it by default.

/W


Yes I know it is more for our internal traffic. To much traffic for..

I finally found out what it is, it is our drawing program VECTORWORKS, it is broadcasting serial numbers, for his network licences.
But it is very annoying in the log file, my 5Mb is filled in a sec.
Can i adjust the log file setting so it wont log this specific port. Or has somebody a good program the block this port only on the workstations, without installing a firewall???

Teun
KCAP [NL]
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Try this traffic rule:

name: catch broadcasts
source: LAN
dest: ip address 255.255.255.255
service: any
action: allow, drop, deny (choose one)
log: none

Place this rule somewhere above the rule that is creating the log entries.

I don't know for sure if 255.255.255.255 will work...
  •  
KCAP

Messages: 94
Karma: 2
Send a private message to this user
feite wrote on Thu, 17 March 2005 12:46

Try this traffic rule:

name: catch broadcasts
source: LAN
dest: ip address 255.255.255.255
service: any
action: allow, drop, deny (choose one)
log: none

Place this rule somewhere above the rule that is creating the log entries.

I don't know for sure if 255.255.255.255 will work...


Thanks, but no result, doesn't work
the log file is still growing

Teun
KCAP [NL]
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
You could disabled the detection of portscans. I'm not happy with that. To do that you must edit the winroute.cfg (disable the KWF first).

Go to the section <table name="Firewall"> and look for <variable name="PortscanDetection">1</variable>. Replace the 1 with a 0.

An other option is to set the log rotation to a short period of time like every hour or every day and limit the number of old logs. Or you could set the max logsize and limit the number of logs.
Previous Topic: How to set up Outlook express ???
Next Topic: A Couple Of Questions
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 01:39:50 CET 2017

Total time taken to generate the page: 0.00460 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.