Shorewall users - Dec 2002 - RFC 1918 log output looks like I''m scanning!

I found the following in my /var/log/messages file:

Dec 11 10:47:35 lucy kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT=eth0
SRC=10.75.4
8.1 DST=192.168.1.20 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=61217 PROTO=ICMP
TYPE3 CODE=1 [SRC=66.149.18.173 DST=68.4.240.244 LEN=78 TOS=0x00 PREC=0x00
TTL=114 I
D=53783 PROTO=UDP SPT=1025 DPT=137 LEN=58 ]
Dec 11 10:47:35 lucy kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT=eth0
SRC=10.75.4
8.1 DST=192.168.1.20 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=61219 PROTO=ICMP
TYPE3 CODE=1 [SRC=66.149.18.173 DST=68.4.240.249 LEN=78 TOS=0x00 PREC=0x00
TTL=114 I
D=55831 PROTO=UDP SPT=1025 DPT=137 LEN=58 ]
Dec 11 10:47:35 lucy kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT=eth0
SRC=10.75.4
8.1 DST=192.168.1.20 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=61221 PROTO=ICMP
TYPE3 CODE=1 [SRC=66.149.18.173 DST=68.4.240.251 LEN=78 TOS=0x00 PREC=0x00
TTL=114 I
D=57111 PROTO=UDP SPT=1025 DPT=137 LEN=58 ]
Dec 11 10:47:35 lucy kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT=eth0
SRC=10.75.4
8.1 DST=192.168.1.20 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=61223 PROTO=ICMP
TYPE3 CODE=1 [SRC=66.149.18.173 DST=68.4.240.255 LEN=78 TOS=0x00 PREC=0x00
TTL=114 I
D=58903 PROTO=UDP SPT=1025 DPT=137 LEN=58 ]

This appears to be shorewall dropping inbound traffic from 10.75.48.1 (which
it should), but it seems to have something to do with traffic from
66.149.18.173  (which is ME) outbound to 68.4.240.xxx where the xxx seems to
be some kind of scan.  Couple that with the mention of port 137, and
I''m
concerned that something has gotten onto my 192.168.1.20 box that is
scanning and attempting to report the results.

Am I going cuckoo here or does this look that bad?

--On Wednesday, December 11, 2002 03:49:44 PM -0500 Ian Hunter 
<ihunter@hunterweb.net> wrote:
> I found the following in my /var/log/messages file:
>
> This appears to be shorewall dropping inbound traffic from 10.75.48.1
> (which it should), but it seems to have something to do with traffic from
> 66.149.18.173  (which is ME) outbound to 68.4.240.xxx where the xxx seems
> to be some kind of scan.  Couple that with the mention of port 137, and
> I''m concerned that something has gotten onto my 192.168.1.20 box
that is
> scanning and attempting to report the results.
>
> Am I going cuckoo here or does this look that bad?
>
Please read FAQ# 21

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Wednesday, December 11, 2002 12:52:57 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>>
>
> Please read FAQ# 21
>
Additionally, all of the outbound packets seem to have the same source port 
so you can run netstat on that box and see who has that port open.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Wednesday, December 11, 2002 01:13:44 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
>
> --On Wednesday, December 11, 2002 12:52:57 PM -0800 Tom Eastep
> <teastep@shorewall.net> wrote:
>
>>>
>>
>> Please read FAQ# 21
>>
>
> Additionally, all of the outbound packets seem to have the same source
> port so you can run netstat on that box and see who has that port open.
>
Sorry to keep responding to my own posts but this is a stream of 
consiousness thing as I''m trying to think about this problem and work
my
day job at the same time. You can kill these at the source by simply adding 
these rules:

REJECT	loc	net	tcp	137,139,445
REJECT	loc	net	udp	137:139

Those will prevent the original outbound requests from traversing your 
firewall in the first place.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net