[ale] Firewalling question

UnderGrid Founder undrgrid at undergrid.net
Thu May 6 13:12:49 EDT 1999


--Pd0ReVV5GZGQvF3a
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

	On a cablemodem network any machine running Windows filesharing or=20
Linux running Samba will get displayed on the "Network Neighborhood"...
Although the smart Linux-admin would block those ports on their external
interface going to the cablemodem network... That however will not stop the
Windows machines on the cablemodem segment from attempting to probe the=20
segment to locate other SMB/Samba machines... If you are firewalling the po=
rts
then you shouldn't show up on his "Network Neighborhood" since it doesn't g=
et
a reply back but his machine will probe it when it tries to update the=20
network fileshare display... The Network Neighborhood will find what domain
the SMB/Samba server is in and unless it is the same domain as your machine
you would have to look under "Entire network" under Network Neighborhood=20
which would/should list all known domains from it's resulting probes...

	I've had the pleasure of playing with a Linux box with Samba on a=20
cablemodem network and it is quite humorous as we supplied the provider with
several inches of printouts of account passwords (including the provider's
NT Administator account password) from just a few hours of sniffing the=20
cable modem segment just to prove how insecure it really was... 20 mile rad=
ius
LAN on one segment... our provided proof made them re-think the arch design
and segment'd the network into smaller chunks...

	One has to remember that cablemodems are a shared medium just like
Ethernet so any packet on that segment will be seen by all machines on that
segment... Therefore firewalling your home LAN is vital for security and I=
=20
would also recommend *NEVER* using telnet over a cablemodem connection as
any joe-luser could sniff it...

	Respectfully,
	Jeremy T. Bouse

Michael A. Smith decided to waste my bandwidth saying:
> 	Cablevision actually does display machines in the "Network Neighborhood".
> I don't know how they group machines into a network neighborhood because I
> only have 10 but I know there are more than 10 people using Cablevisions
> cable modems.  Once you click on a machine, you won't see any drives or
> shared files(at least in NT or using Samba in Linux).  I would like to kn=
ow
> how they do this.  It appears to be secure but who knows.......
>=20
> > -----Original Message-----
> > From: jeff_hubbs at mcgraw-hill.com [mailto:jeff_hubbs at mcgraw-hill.com]
> > Sent: Thursday, May 06, 1999 9:39 AM
> > To: masmith at bsat.com
> > Cc: 'Christopher R. McNabb'; 'Gary Maltzen'; '"ALE List"'
> > Subject: RE: [ale] Firewalling question
> >
> >
> > I would hope that there would be a way to keep his machine(s)
> > from showing up in
> > Network Neighborhood on other machines in the first place; I
> > figure his stuff
> > would be harder to hack if you didn't know what the machines'
> > names were.
> >
> > - Jeff
> >
> >
> >
> >
> >
> >
> > "Michael A. Smith" <masmith at bsat.com> on 05/06/99 09:09:45 AM
> >
> > Please respond to masmith at bsat.com
> >
> > To:   "'Christopher R. McNabb'" <ilive at mindspring.com>,
> > "'Gary Maltzen'"
> >       <maltzen at mm.com>
> > cc:   "'\"ALE List\"'" <ale at ale.org> (bcc: Jeff Hubbs/Tower)
> >
> > Subject:  RE: [ale] Firewalling question
> >
> >
> >
> >
> > I think that the udp ports listed are NETBIOS related leading
> > me to believe
> > that someone maybe trying to connect to your machine possibly
> > using Samba or
> > clicking on your machine in Network Neighborhood on a windows
> > machine.  The
> > one thing good is that they are being denied thus your rule
> > appears to be
> > working...
> >
> > > -----Original Message-----
> > > From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of
> > > Christopher R. McNabb
> > > Sent: Thursday, May 06, 1999 8:20 AM
> > > To: Gary Maltzen
> > > Cc: "ALE List"
> > > Subject: Re: [ale] Firewalling question
> > >
> > >
> > > That might be the case, Yes it is a cable modem, and lo and
> > behold the
> > > techsupport at Cablevision knows NOTHING!  Mention Linux and
> > > they tried to
> > > get me off the phone saying unsupported. Bah!  Ah well, it's
> > > getting denied,
> > > so I guess I'll just ignore it.
> > >
> > > Christopher R. McNabb
> > > MindSpring Technical Support
> > > ____________________________________________
> > >
> > > http://www.mindspring.net
> > > http://help.mindspring.com
> > > http://www.mindspring.net/~web
> > > support at mindspring.com         800.719.4664
> > > crmcnabb at mindspring.net
> > > ____________________________________________
> > >
> > > *NOTE* ALL Requests for Technical Support
> > > will be redirected to support at mindspring.com
> > > ____________________________________________
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: Gary Maltzen <maltzen at mm.com>
> > > To: Christopher R. McNabb <ilive at mindspring.com>
> > > Cc: "ALE List" <ale at ale.org>
> > > Sent: Wednesday, May 05, 1999 5:08 PM
> > > Subject: Re: [ale] Firewalling question
> > >
> > >
> > > > Ports 137/138/139 are NetBIOS/SMB/Samba network requests.
> > > >
> > > > First guess: you've got a DSL or cable connection to the
> > > Internet, shared
> > > by
> > > > other users who have chosen 192.168.1 for their private
> > > intranet as well -
> > > > but they may not have firewalled their systems...
> > > >
> > > > -----Original Message-----
> > > > From: Christopher R. McNabb <ilive at mindspring.com>
> > > >
> > > >
> > > > I'm using SuSE 5.3 and have setup Firewalling and
> > > Masquerading.  All seems
> > > > to work fine, but I'm seeing strange entries in my logs.
> > > >
> > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:137
> > > > 192.168.1.255:137 L=3D78 S=3D0x00 I=3D11008 F=3D0x0000 T=3D32
> > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=3D217 S=3D0x00 I=3D12032 F=3D0x0000 T=3D32
> > > > May  2 09:19:38 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=3D217 S=3D0x00 I=3D13056 F=3D0x0000 T=3D32
> > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=3D244 S=3D0x00 I=3D13312 F=3D0x0000 T=3D32
> > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=3D217 S=3D0x00 I=3D14080 F=3D0x0000 T=3D32
> > > > May  2 09:19:40 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=3D217 S=3D0x00 I=3D15104 F=3D0x0000 T=3D32
> > > >
> > > >
> > > > This IP 192.168.1.2 does not exist on my network.  I also
> > see other
> > > entries
> > > > with other IP addresses.  This has started since I set the
> > > machine up, so
> > > I
> > > > figure it is just a config setting somewhere.  Can anyone
> > > help me out
> > > here?
> > > > port numbers are almost always 137 or 138, and occasionally
> > > 513.  Always
> > > > UDP.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >

--=20
,--------------------------------------------------------------------------=
---,
| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -   www.UnderGrid.ne=
t  |
|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9  =
   |
|         Public PGP key available via 'finger undrgrid at UnderGrid.net'     =
   |
| Jeremy.Bouse at UnderGrid.net  -  NIC Whois: JB5713  -  undrgrid at UnderGrid.n=
et |
|            /earth is 98% full ... please delete anyone you can.          =
   |
`--------------------------------------------------------------------------=
---'

--Pd0ReVV5GZGQvF3a
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a

iQCVAwUBNzHNj+ak13roPZrlAQHAcwP/Uyyxcc5NtSVPjcwazL66K7X3LFWTyS2o
mv/BXcCTVo1eq7HyiFKLEveT5q5k3tDbq6uQcyhkVJYpXR6vgdY3ajk7mNtr05KB
o4e4S3UV28n2CIC/VIjXUo4XpphyaVEx/pNQB1mh9LycpyPUKkIYv5GrLVAKYVdW
OTlvgcb//Cg=
=G8MW
-----END PGP SIGNATURE-----

--Pd0ReVV5GZGQvF3a--






More information about the Ale mailing list