Even though I connect to the internet via an Apple Extreme Base Station, I still have the firewall enabled on all my machines. On my Macs, I also block UDP traffic and I enable the stealth mode.

So I was interested in this review by Ars Technica of Norton Confidential for Mac OS X. The product looks interesting, but I was most interested in this:

Eventually I inquired with my apartment-mate about whether something in our apartment was portscanning periodically, and he said that he was unaware of anything that might be doing that. But as it turned out, the IP of the blocked porscan, according to NCO, matched up with the internal IP of our brand new Airport Extreme base station. Why does the AEBS need to be portscanning every so often?

It seems that the Base Station is scanning ports on the internal network on a regular basis, I checked the firewall logs on my Mac and came across the following entries:

Apr 30 07:19:13 Francois-MacPro ipfw: 35000 Deny UDP in via en0
Apr 30 07:31:13 Francois-MacPro ipfw: 35000 Deny UDP in via en0
Apr 30 07:43:13 Francois-MacPro ipfw: 35000 Deny UDP in via en0

These scans happen every day with no real order, sometimes it is just a single ping, and sometimes it is more than one in quick succession, as above.

Port 138 is reserved for the netbios datagram service as we can see from the /etc/services file on my linux machine:

netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp

I suspect that this is related to the fact that the new Base Station can share discs attached to it with Windows machines, but I am still curious as to why these scans are happening when I have no discs attached to the Base Station and Windows File Sharing is not enabled.


