As we are forced to use some Win apps in our firm we decide a buy a Parallels for a try from one of resellers in Poland and I must say I am impressed as it works just fine (After upgrade to 5604 as we were hit by blinking problem) I see only one problem here. When looking at the firewall log from our company server I can see a large flood of UDP access to port 137, this is not a big problem, but we can not unblock it as it comes with funky MAC address: Shorewall:eth1_mac:REJECT:IN=eth1 OUT= MAC=00:15:17:3e:20:d7:00:17:f2:c5:50:18:08:00 SRC=10.211.55.2 DST=192.168.10.1 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=54510 PROTO=UDP SPT=137 DPT=137 LEN=76 192.168.10.1 is our server address and 10.211.55.2 is addres of one of the parallels network interfaces that installation creates, but what is '00:15:17:3e:20:d7:00:17:f2:c5:50:18:08:00' ? This is definitly not a valid MAC. The machine has network setup as bridge as we need to directly access to 192.168.10.X subnet from guest OS.
This is not the point here as I know what works on that port already and we use it in firm. The problem is MAC address reported by this interface: '00:15:17:3e:20:d7:00:17:f2:c5:50:18:08:00' Normal MAC should be 48-bits wide and this one is bigger and not accepted by firewall to unblock. First I think it was because MacOS uses IPv6 (IN Poland we still use IPv4), but I disabled it for all interfaces on this machine and I can still see this message in log's.
I disabled IPv6 for all interfaces present in prefpane. Also I can not see any device with this mac addr in ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.10.64 netmask 0xffffff00 broadcast 192.168.10.255 ether 00:17:f2:c5:50:18 media: autoselect (100baseTX <full-duplex,flow-control>) status: active supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030 lladdr 00:17:f2:ff:fe:84:81:02 media: autoselect <full-duplex> status: inactive supported media: autoselect <full-duplex> en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 169.254.44.169 netmask 0xffff0000 broadcast 169.254.255.255 ether 00:17:f2:ee:61:31 media: autoselect status: active supported media: autoselect en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255 ether 00:1c:42:00:00:00 media: autoselect status: active supported media: autoselect en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255 ether 00:1c:42:00:00:01 media: autoselect status: active supported media: autoselect
Well, I see something over here for now: 1. NETBIOS traffic is no need to be passed through firewall as NETBIOS is not routable, so you do not need to enable it 2. Shorewall message shows you following 00:15:17:3e:20:d7:00:17:f2:c5:50:18:08:00' Destination 00:15:17:3e:20:d7 Source 00:17:f2:c5:50:18 - this mac en0 00:17:f2:c5:50:18 Ethernet Frame Type = 08:00 (IP Version 4)
