[PLUG] Adaptive firewall considerations

[Terry Griffin]

Hi all,

I'm toying around with some adaptive firewall ideas. In looking at the 
iptables logs and deciding what patterns might be worth adapting to, I've 
noticed that most of the hits coming from the outside are on TCP ports
135 and 445 (Windows RPC and DS respectively). Sometimes these hits come 
in big bunches, obvious attempts by a Win32-based worm to spread itself. 
But most of the time it's just a slow trickle.

So here's my question, and I guess it's more of a Windows question than
a Linux question, but trust me that the firewall runs Linux.

To what degree would a normally configured or typically misconfigured but 
*uninfected* Windows box try to connect to other random hosts on ports 
135 or 445? Is there some level of normal Window chat, or does *any* 
attempt to connect to our IP addresses from the outside on these ports 
indicate malicious intent?

If there is some normal level of chatter then I assume it would be limited 
to the immediate network on which the Windows box resides such that it 
might be normal to see this trickle of hits from the neighbors on our 
ISP's network, but hits to these ports from hosts in China would clearly 
be malicious. Yes? No?

Thanks,
Terry