U
Usenet
Guest
I've swapped over a firewall this morning.
The new brick has much more/better logging than the previous one.
Our internal IP range is 10.x.x.x and I'm seeing loads of netbios
tcp/udp traffic being blocked by the firewall that is for all manner of
destinations i.e. 192.168.x.x, 172.22.100.x, 100.0.0.254 and so on.
We don't use any of those ranges, and the DC is the only machine that is
doing this.
I've ran lots of virus scans and I believe I've ruled out any sort of
trojan/infection etc. and if it were a "nasty" I don't think I'd be
seeing so much for the 192.168.x.x ranges.
Any suggestions on what on earth may be going on would be welcome.
The machine is our PDC Emulator/FSMO master and is Windows 2003 R2
running on a HP DL360 G4 with PSP 8.x installed and the two NICs teamed.
I have been running tcpview and have run several spyware/trojan/rootkit
tools and they all come back clean.
I'm convinced this is some function specific to the fact that it's a
domain controller as the firewall would log anything else and we have
too many desktops and servers here for me to think it's co-incidence
that it's the DC.
All the dropped requests are netbios-udp and nothing is netbios-tcp.
Sample IP addresses are:
172.22.100.103
202.250.33.5
100.0.0.254
192.168.x.x
Most of these IPs are either private, or come back as being reserved,
which makes me suspect it's responding to broadcasts from bits of
network kit such as switches that have been "dropped" into our network
without having been configured away from the factory defaults.
Questions is does that sound correct, and other than a lengthy tracking
down process, is there any way around it?
The new brick has much more/better logging than the previous one.
Our internal IP range is 10.x.x.x and I'm seeing loads of netbios
tcp/udp traffic being blocked by the firewall that is for all manner of
destinations i.e. 192.168.x.x, 172.22.100.x, 100.0.0.254 and so on.
We don't use any of those ranges, and the DC is the only machine that is
doing this.
I've ran lots of virus scans and I believe I've ruled out any sort of
trojan/infection etc. and if it were a "nasty" I don't think I'd be
seeing so much for the 192.168.x.x ranges.
Any suggestions on what on earth may be going on would be welcome.
The machine is our PDC Emulator/FSMO master and is Windows 2003 R2
running on a HP DL360 G4 with PSP 8.x installed and the two NICs teamed.
I have been running tcpview and have run several spyware/trojan/rootkit
tools and they all come back clean.
I'm convinced this is some function specific to the fact that it's a
domain controller as the firewall would log anything else and we have
too many desktops and servers here for me to think it's co-incidence
that it's the DC.
All the dropped requests are netbios-udp and nothing is netbios-tcp.
Sample IP addresses are:
172.22.100.103
202.250.33.5
100.0.0.254
192.168.x.x
Most of these IPs are either private, or come back as being reserved,
which makes me suspect it's responding to broadcasts from bits of
network kit such as switches that have been "dropped" into our network
without having been configured away from the factory defaults.
Questions is does that sound correct, and other than a lengthy tracking
down process, is there any way around it?