[ale] Firewalling question

Michael A. Smith masmith at bsat.com
Thu May 6 15:08:47 EDT 1999 

Now that we know this, does anyone have a good ipfwadm or ipchians rule for
filtering this out?

> -----Original Message-----
> From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf
> Of UnderGrid
> Founder
> Sent: Thursday, May 06, 1999 1:13 PM
> To: Michael A. Smith
> Cc: jeff_hubbs at mcgraw-hill.com; 'Christopher R. McNabb';
> 'Gary Maltzen';
> 'ALE List'
> Subject: Re: [ale] Firewalling question
>
>
> 	On a cablemodem network any machine running Windows
> filesharing or
> Linux running Samba will get displayed on the "Network
> Neighborhood"...
> Although the smart Linux-admin would block those ports on
> their external
> interface going to the cablemodem network... That however
> will not stop the
> Windows machines on the cablemodem segment from attempting to
> probe the
> segment to locate other SMB/Samba machines... If you are
> firewalling the ports
> then you shouldn't show up on his "Network Neighborhood"
> since it doesn't get
> a reply back but his machine will probe it when it tries to
> update the
> network fileshare display... The Network Neighborhood will
> find what domain
> the SMB/Samba server is in and unless it is the same domain
> as your machine
> you would have to look under "Entire network" under Network
> Neighborhood
> which would/should list all known domains from it's resulting
> probes...
>
> 	I've had the pleasure of playing with a Linux box with
> Samba on a
> cablemodem network and it is quite humorous as we supplied
> the provider with
> several inches of printouts of account passwords (including
> the provider's
> NT Administator account password) from just a few hours of
> sniffing the
> cable modem segment just to prove how insecure it really
> was... 20 mile radius
> LAN on one segment... our provided proof made them re-think
> the arch design
> and segment'd the network into smaller chunks...
>
> 	One has to remember that cablemodems are a shared
> medium just like
> Ethernet so any packet on that segment will be seen by all
> machines on that
> segment... Therefore firewalling your home LAN is vital for
> security and I
> would also recommend *NEVER* using telnet over a cablemodem
> connection as
> any joe-luser could sniff it...
>
> 	Respectfully,
> 	Jeremy T. Bouse
>
> Michael A. Smith decided to waste my bandwidth saying:
> > 	Cablevision actually does display machines in the
> "Network Neighborhood".
> > I don't know how they group machines into a network
> neighborhood because I
> > only have 10 but I know there are more than 10 people using
> Cablevisions
> > cable modems.  Once you click on a machine, you won't see
> any drives or
> > shared files(at least in NT or using Samba in Linux).  I
> would like to know
> > how they do this.  It appears to be secure but who knows.......
> >
> > > -----Original Message-----
> > > From: jeff_hubbs at mcgraw-hill.com
> [mailto:jeff_hubbs at mcgraw-hill.com]
> > > Sent: Thursday, May 06, 1999 9:39 AM
> > > To: masmith at bsat.com
> > > Cc: 'Christopher R. McNabb'; 'Gary Maltzen'; '"ALE List"'
> > > Subject: RE: [ale] Firewalling question
> > >
> > >
> > > I would hope that there would be a way to keep his machine(s)
> > > from showing up in
> > > Network Neighborhood on other machines in the first place; I
> > > figure his stuff
> > > would be harder to hack if you didn't know what the machines'
> > > names were.
> > >
> > > - Jeff
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Michael A. Smith" <masmith at bsat.com> on 05/06/99 09:09:45 AM
> > >
> > > Please respond to masmith at bsat.com
> > >
> > > To:   "'Christopher R. McNabb'" <ilive at mindspring.com>,
> > > "'Gary Maltzen'"
> > >       <maltzen at mm.com>
> > > cc:   "'\"ALE List\"'" <ale at ale.org> (bcc: Jeff Hubbs/Tower)
> > >
> > > Subject:  RE: [ale] Firewalling question
> > >
> > >
> > >
> > >
> > > I think that the udp ports listed are NETBIOS related leading
> > > me to believe
> > > that someone maybe trying to connect to your machine possibly
> > > using Samba or
> > > clicking on your machine in Network Neighborhood on a windows
> > > machine.  The
> > > one thing good is that they are being denied thus your rule
> > > appears to be
> > > working...
> > >
> > > > -----Original Message-----
> > > > From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of
> > > > Christopher R. McNabb
> > > > Sent: Thursday, May 06, 1999 8:20 AM
> > > > To: Gary Maltzen
> > > > Cc: "ALE List"
> > > > Subject: Re: [ale] Firewalling question
> > > >
> > > >
> > > > That might be the case, Yes it is a cable modem, and lo and
> > > behold the
> > > > techsupport at Cablevision knows NOTHING!  Mention Linux and
> > > > they tried to
> > > > get me off the phone saying unsupported. Bah!  Ah well, it's
> > > > getting denied,
> > > > so I guess I'll just ignore it.
> > > >
> > > > Christopher R. McNabb
> > > > MindSpring Technical Support
> > > > ____________________________________________
> > > >
> > > > http://www.mindspring.net
> > > > http://help.mindspring.com
> > > > http://www.mindspring.net/~web
> > > > support at mindspring.com         800.719.4664
> > > > crmcnabb at mindspring.net
> > > > ____________________________________________
> > > >
> > > > *NOTE* ALL Requests for Technical Support
> > > > will be redirected to support at mindspring.com
> > > > ____________________________________________
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Gary Maltzen <maltzen at mm.com>
> > > > To: Christopher R. McNabb <ilive at mindspring.com>
> > > > Cc: "ALE List" <ale at ale.org>
> > > > Sent: Wednesday, May 05, 1999 5:08 PM
> > > > Subject: Re: [ale] Firewalling question
> > > >
> > > >
> > > > > Ports 137/138/139 are NetBIOS/SMB/Samba network requests.
> > > > >
> > > > > First guess: you've got a DSL or cable connection to the
> > > > Internet, shared
> > > > by
> > > > > other users who have chosen 192.168.1 for their private
> > > > intranet as well -
> > > > > but they may not have firewalled their systems...
> > > > >
> > > > > -----Original Message-----
> > > > > From: Christopher R. McNabb <ilive at mindspring.com>
> > > > >
> > > > >
> > > > > I'm using SuSE 5.3 and have setup Firewalling and
> > > > Masquerading.  All seems
> > > > > to work fine, but I'm seeing strange entries in my logs.
> > > > >
> > > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:137
> > > > > 192.168.1.255:137 L=78 S=0x00 I=11008 F=0x0000 T=32
> > > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:138
> > > > > 192.168.1.255:138 L=217 S=0x00 I=12032 F=0x0000 T=32
> > > > > May  2 09:19:38 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:138
> > > > > 192.168.1.255:138 L=217 S=0x00 I=13056 F=0x0000 T=32
> > > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:138
> > > > > 192.168.1.255:138 L=244 S=0x00 I=13312 F=0x0000 T=32
> > > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:138
> > > > > 192.168.1.255:138 L=217 S=0x00 I=14080 F=0x0000 T=32
> > > > > May  2 09:19:40 gateway kernel: IP fw-in deny eth0 UDP
> > > > 192.168.1.2:138
> > > > > 192.168.1.255:138 L=217 S=0x00 I=15104 F=0x0000 T=32
> > > > >
> > > > >
> > > > > This IP 192.168.1.2 does not exist on my network.  I also
> > > see other
> > > > entries
> > > > > with other IP addresses.  This has started since I set the
> > > > machine up, so
> > > > I
> > > > > figure it is just a config setting somewhere.  Can anyone
> > > > help me out
> > > > here?
> > > > > port numbers are almost always 137 or 138, and occasionally
> > > > 513.  Always
> > > > > UDP.
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
>
> --
> ,-------------------------------------------------------------
> ----------------,
> | Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -
> www.UnderGrid.net  |
> |     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198
> 19D0593E50E597E9     |
> |         Public PGP key available via 'finger
> undrgrid at UnderGrid.net'        |
> | Jeremy.Bouse at UnderGrid.net  -  NIC Whois: JB5713  -
> undrgrid at UnderGrid.net |
> |            /earth is 98% full ... please delete anyone you
> can.             |
> `-------------------------------------------------------------
> ----------------'
>

More information about the Ale mailing list