hello. i'm new to norton firewall (and this forum) and can't find an answer to my question
i have pretty much full "shields up" with norton firewall on my os x computer but the log shows a long string of the message above. the source ip address is my router, which at one level makes sense. they are udp packets being sent to 137/138. the mac is not listening on those ports because WFS is turned off (and i confirmed this both in norton and with lsof)
what i don't understand is how someone from outside my network could possibly be addressing my laptop machine successfully from the router and getting it to fwd the packet to me. it is a wnr1000v2 supplied to me by comcast and i've setup all the obvious stuff like mac lists, etc... what it apparently doesn't do is allow me to stop the 137/138 traffic at the router. which, i'm actually not worried about. what i'm trying to learn is how someone is able to address my laptop (it's a completely flattened mac with pretty much everything turned off on it and no data) from the outside
Please attach a screenprint or two showing what you are seeing. If you click on an entry in history and go to more details, that could be helpful as well.
Since you are using a router, your IP address should not be visible to the internet, which would indicate that it is your router checking to see if the service is required. If you don't have file sharing enabled on your machine, it will be blocked. It is difficult to specify what is happening or why without more details on your settings.
what i don't understand is how someone from outside my network could possibly be addressing my laptop machine successfully from the router and getting it to fwd the packet to me. what i'm trying to learn is how someone is able to address my laptop (it's a completely flattened mac with pretty much everything turned off on it and no data) from the outside
The answer is: they can't. The router will block any unsolicited traffic from the internet. Your computer would need to initiate the connection so that the router would know where to direct the incoming traffic, otherwise the packets are simply dropped and cannot get through. This is probably originating with something on your LAN that is broadcasting.
When you configured your firewall, which configuration did you choose? This will be displayed in the Norton Firewall application, next to "Current settings:". If you are hat home, behind a home router that has a built-in firewall, you should be using "Home". This will protect you from outside threats that come in through the router (for applications who have opened holes in the router's firewall, like iChat and others do) but will allow connections that originate on your home network.
This is the recommended setting for people who have a home network setup, and it will probably eliminate the problem you are seeing.
This is from my third-party firewall logs. No filesharing enabled. This is the one that needs a clear professional explanation, IMO. For example, is this strictly LAN communication?
These messages are coming from the Apple built-in firewall, not from our firewall.
These messages are basically as you desribed. Windows machines are pretty chatty, and they announce their file sharing presence on the network using broadcast packets. I bet the XX is 255 or something close, which indicates the broadcast IP address. This is how other machines on the network know which machines are running Windows File Sharing. (Mac OS X uses "Bonjour" for this functionality, which is much less chatty because it uses multicast). All machines on the network will receive these broadcast packets regardless of whether they want to or not.
This traffic should be ignored automatically by the Norton firewall. The option "Akways allow broadcast and multicast traffic" option in the Firewall's Advanced Settings window controls this.