[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall Question

To: members@xxxxxxxxxxxxxxxxxx
Subject: Re: Firewall Question
From: Richard Zimmerman <ke4rit@xxxxxxxxxxxxx>
Date: Tue, 5 Dec 2000 22:51:53 -0500
In-Reply-To: <976030343.3a2d0a876d640@barracuda>
Organization: K&B Transport, Inc.
References: <000901c05ed3$cc611a00$0100a8c0@knbpower.com> <976030343.3a2d0a876d640@barracuda>
Reply-To: ke4rit@xxxxxxxxxxxxx

On Tue, 05 Dec 2000, Adam Tauno Williams wrote:
> >This might be in the stupid question department:
> >Is it a good idea to tell ipchains to block the Windows Netbios
> >protocol from going out on the Internet?
> 
> My goodness YES!!!!!  Always, without expect, of course.

   I happen to download an ipchains firewall configuration utility this evening
called pmfirewall ( www.pmfirewall.org ). While I decided not to use it, it did
help me learn how to issue commands to ipchains for blocking the netbios
ports (using Bruce's examples as a reference point).

   ipchains -A input -p tcp -i ppp0 -s 192.168.1.0/24 137:139 -d 0.0.0.0/0 -b
-j DENY

   ipchains -A input -p udp -i ppp0 -s 192.168.1.0/24 137:139 -d 0.0.0.0/0 -b
-j DENY

  In testing on my home network, it is allowing the netbios traffic to flow
inside the network. I had goofed and ran this without the i- ppp0 option... Sure
enough it killed ALL netbios traffic on my home network to/from my test
machine. <G>

   Hopefully this helps some newbies!

> >If so, then if I setup a VPN to do Windows shares, will I be able
> >still be able to via the VPN, or will I need to reopen the firewall to
> >Netbios traffic.
> 
> It depends how you block them.  Block them in and out on the "true" external
> intfaces IP, and don't block them on the VPN endpoint's IP (you can think of a
> VPN connection like a PPP connection, only no modem, no line, etc... just to IP
> numbered endpoints).  If you VPN endpoint is not on your firewall, but an
> internal box (best scenario yet) you simply needn't worry because the "true"
> interface on the firewall will never know that those packets are smb/cifs
> because they're encapsulated in the VPN circuit.

   I hadn't thought of using a machine inside the firewall to do vpn.. I was
assuming one machine for both vpn & netbios... OK, got some more reading to
do... Hmmm... This is starting to sound like another future presentation coming
together here!

   Thanks Adam!

   Richard

References:
- Firewall Question
  - From: Richard Zimmerman
- Re: Firewall Question
  - From: Adam Tauno Williams

Prev by Date: Re: Wine 1.0 Prerelease
Next by Date: Thanks (Re: Ameritech DSL)
Prev by thread: Re: Firewall Question
Next by thread: Wine 1.0 Prerelease
Index(es):
- Date
- Thread