4 Printers attacking my PC

A123 · 08-12-2009, 03:26 PM

I have a dual boot computer XP / Mandriva (linux) in a windows network.

I noticed when I boot into linux my firewall (shorewall) generates messages that it prevented 4 network printers from sending packets to my computer.

From the messages I counted I can say that printers are sending 30 packets per second. Constantly. I talked to the IT manager about this he said that the printers are scanning the network to find a host. And that these are multifunction printers and that's what they do.

Is there a way to prevent those printers from generating all that network noise?

here's a sample of my firewall message:
Jul 28 15:31:25 localhost klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:00:**:**:**:**:**:**:**:**:**:**:**:** SRC=192.168.0.5 DST=192.168.0.4 LEN=286 TOS=0x00 PREC=0x00 TTL=64 ID=756 PROTO=UDP SPT=1025 DPT=47197 LEN=266

I get about 20 megabytes a day of these messages.

Thanks

anomie · 08-12-2009, 03:36 PM

It's really not necessary to obfuscate the MAC address that way...

I find it odd that the printers are sending udp packets directly to you, rather than to a broadcast (.255) address.

Anyway, you could configure shorewall to silently DROP packets from those printers (i.e. specify them by IP). I haven't used shorewall, but currently it is hitting the LOG target and then the DROP target.

A123 · 08-18-2009, 08:10 AM

Thank you. The network noise still remains.

anomie · 08-18-2009, 11:27 AM

Post the output of # iptables -nvL

Please put the output in code tags so that we can read it.

A123 · 08-19-2009, 09:25 AM

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2473  936K Ifw        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  797  135K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW 
    0     0 net2fw     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
 1846  888K net2fw     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
  632 52167 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW 
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 fw2net     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
 1113  137K fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
  632 52167 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain Drop (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  741  132K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
  741  132K dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */ 
  142 39896 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535 /* SMB */ 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 /* UPnP */ 
   12   576 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 /* Late DNS Replies */ 

Chain Ifw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set ifw_wl src 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           set ifw_bl src 
    0     0 IFWLOG     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW psd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 2 hi-ports-weight: 1 IFWLOG prefix 'SCAN' 

Chain Reject (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
    0     0 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */ 
    0     0 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445 /* SMB */ 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 /* SMB */ 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535 /* SMB */ 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 /* UPnP */ 
    0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 /* Late DNS Replies */ 

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  437 45210 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
  162 46469 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  845  108K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  268 29029 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1105  756K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  741  132K Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  142 39896 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:' 
  142 39896 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject (9 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST 
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST 
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0

anomie · 08-19-2009, 10:51 AM

Well, something like this would do it:

Code:

# iptables -I INPUT 1 -p udp -s 192.168.50.1 -j DROP
# iptables -I INPUT 2 -p udp -s 192.168.50.2 -j DROP

(where 192.168.50.1, .2 are the offending printers)

Not a very elegant approach, but the point is it will drop the packets before they reach a LOG target later in your ruleset.

Another issue is I don't know shorewall, so I'm not sure how you can save these custom rules.

chris71mach1 · 08-19-2009, 02:13 PM

theres a really good chance that what youre seeing is ARP traffic. most (if not all) ethernet devices generate this traffic, and its not malicious at all (hell to you and I, its pretty much meaningless). i really wouldnt worry about any of this, as its perfectly normal.

anomie · 08-19-2009, 02:41 PM

His complaint is that the logging of these udp packets is overwhelming his log files.