What is the firewall-cmd to configure iptables to drop NetBIOS broadcasts?

David Tonhofer asked:

I have a CentOS 7 server in a LAN together with Windows machines.

I have switched on logging in iptables of “to-be-rejected” or “to-be-dropped” packets using

firewall-cmd --set-log-denied=all

This adds the appropriate iptables logging rules. For example, at the end of the FORWARD chain:

LOG        all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

However, now the kernel log (or rather the journal) logs lots of packets from the assorted Windows machines getting rejected, more precisely NetBIOS broadcasts (UDP to port 137 and 138 on the subnet broadcast address) that no service on the Linux box is interested in.

I want to just drop these packets without further ado even before they are logged.

FINAL_REJECT: IN=ens160 OUT= MAC=ff:ff:ff:ff:ff:ff:XX:XX:XX:XX:XX:XX:08:00 SRC=10.10.2.74 DST=10.10.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=32306 PROTO=UDP SPT=137 DPT=137 LEN=58

What is the firewall-cmd to do this properly?

My answer:


Rather than logging every dropped packet, you can configure firewalld not to log broadcast or multicast packets such as the one you’ve given as an example in your question.

To do this, use --set-log-denied=unicast.

firewall-cmd --set-log-denied=unicast

Now the logs will only contain denied traffic that was directed toward your host.

From the man page:

–set-log-denied=value
Add logging rules right before reject and drop rules in the INPUT,
FORWARD and OUTPUT chains for the default rules and also final
reject and drop rules in zones for the configured link-layer packet
type. The possible values are: all, unicast, broadcast, multicast
and off. The default setting is off, which disables the logging.

This is a runtime and permanent change and will also reload the
firewall to be able to add the logging rules.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.