[ale] Firewalling question

jeff_hubbs at mcgraw-hill.com jeff_hubbs at mcgraw-hill.com
Thu May 6 14:46:08 EDT 1999 

--0__=tYpNV8ex3l73HeNg6ejFyMhaRKneZend9WJEiuDYnvGLpMgsNUe78z9o
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline

20-mile radius???  I hope MediaOne and BellSouth have it cut up finer than that.

Of course, I keep having this fantasy of a bunch of geeks who live near each
other getting together and setting up a Beowulf cluster...

- Jeff







UnderGrid Founder <undrgrid at undergrid.net> on 05/06/99 01:12:49 PM

To:   "Michael A. Smith" <masmith at bsat.com>
cc:   Jeff Hubbs/Tower at Tower, "'Christopher R. McNabb'" <ilive at mindspring.com>,
      "'Gary Maltzen'" <maltzen at mm.com>, "'ALE List'" <ale at ale.org>

Subject:  Re: [ale] Firewalling question




     On a cablemodem network any machine running Windows filesharing or
Linux running Samba will get displayed on the "Network Neighborhood"...
Although the smart Linux-admin would block those ports on their external
interface going to the cablemodem network... That however will not stop the
Windows machines on the cablemodem segment from attempting to probe the
segment to locate other SMB/Samba machines... If you are firewalling the ports
then you shouldn't show up on his "Network Neighborhood" since it doesn't get
a reply back but his machine will probe it when it tries to update the
network fileshare display... The Network Neighborhood will find what domain
the SMB/Samba server is in and unless it is the same domain as your machine
you would have to look under "Entire network" under Network Neighborhood
which would/should list all known domains from it's resulting probes...

     I've had the pleasure of playing with a Linux box with Samba on a
cablemodem network and it is quite humorous as we supplied the provider with
several inches of printouts of account passwords (including the provider's
NT Administator account password) from just a few hours of sniffing the
cable modem segment just to prove how insecure it really was... 20 mile radius
LAN on one segment... our provided proof made them re-think the arch design
and segment'd the network into smaller chunks...

     One has to remember that cablemodems are a shared medium just like
Ethernet so any packet on that segment will be seen by all machines on that
segment... Therefore firewalling your home LAN is vital for security and I
would also recommend *NEVER* using telnet over a cablemodem connection as
any joe-luser could sniff it...

     Respectfully,
     Jeremy T. Bouse

Michael A. Smith decided to waste my bandwidth saying:
>    Cablevision actually does display machines in the "Network Neighborhood".
> I don't know how they group machines into a network neighborhood because I
> only have 10 but I know there are more than 10 people using Cablevisions
> cable modems.  Once you click on a machine, you won't see any drives or
> shared files(at least in NT or using Samba in Linux).  I would like to know
> how they do this.  It appears to be secure but who knows.......
>
> > -----Original Message-----
> > From: jeff_hubbs at mcgraw-hill.com [mailto:jeff_hubbs at mcgraw-hill.com]
> > Sent: Thursday, May 06, 1999 9:39 AM
> > To: masmith at bsat.com
> > Cc: 'Christopher R. McNabb'; 'Gary Maltzen'; '"ALE List"'
> > Subject: RE: [ale] Firewalling question
> >
> >
> > I would hope that there would be a way to keep his machine(s)
> > from showing up in
> > Network Neighborhood on other machines in the first place; I
> > figure his stuff
> > would be harder to hack if you didn't know what the machines'
> > names were.
> >
> > - Jeff
> >
> >
> >
> >
> >
> >
> > "Michael A. Smith" <masmith at bsat.com> on 05/06/99 09:09:45 AM
> >
> > Please respond to masmith at bsat.com
> >
> > To:   "'Christopher R. McNabb'" <ilive at mindspring.com>,
> > "'Gary Maltzen'"
> >       <maltzen at mm.com>
> > cc:   "'\"ALE List\"'" <ale at ale.org> (bcc: Jeff Hubbs/Tower)
> >
> > Subject:  RE: [ale] Firewalling question
> >
> >
> >
> >
> > I think that the udp ports listed are NETBIOS related leading
> > me to believe
> > that someone maybe trying to connect to your machine possibly
> > using Samba or
> > clicking on your machine in Network Neighborhood on a windows
> > machine.  The
> > one thing good is that they are being denied thus your rule
> > appears to be
> > working...
> >
> > > -----Original Message-----
> > > From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of
> > > Christopher R. McNabb
> > > Sent: Thursday, May 06, 1999 8:20 AM
> > > To: Gary Maltzen
> > > Cc: "ALE List"
> > > Subject: Re: [ale] Firewalling question
> > >
> > >
> > > That might be the case, Yes it is a cable modem, and lo and
> > behold the
> > > techsupport at Cablevision knows NOTHING!  Mention Linux and
> > > they tried to
> > > get me off the phone saying unsupported. Bah!  Ah well, it's
> > > getting denied,
> > > so I guess I'll just ignore it.
> > >
> > > Christopher R. McNabb
> > > MindSpring Technical Support
> > > ____________________________________________
> > >
> > > http://www.mindspring.net
> > > http://help.mindspring.com
> > > http://www.mindspring.net/~web
> > > support at mindspring.com         800.719.4664
> > > crmcnabb at mindspring.net
> > > ____________________________________________
> > >
> > > *NOTE* ALL Requests for Technical Support
> > > will be redirected to support at mindspring.com
> > > ____________________________________________
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: Gary Maltzen <maltzen at mm.com>
> > > To: Christopher R. McNabb <ilive at mindspring.com>
> > > Cc: "ALE List" <ale at ale.org>
> > > Sent: Wednesday, May 05, 1999 5:08 PM
> > > Subject: Re: [ale] Firewalling question
> > >
> > >
> > > > Ports 137/138/139 are NetBIOS/SMB/Samba network requests.
> > > >
> > > > First guess: you've got a DSL or cable connection to the
> > > Internet, shared
> > > by
> > > > other users who have chosen 192.168.1 for their private
> > > intranet as well -
> > > > but they may not have firewalled their systems...
> > > >
> > > > -----Original Message-----
> > > > From: Christopher R. McNabb <ilive at mindspring.com>
> > > >
> > > >
> > > > I'm using SuSE 5.3 and have setup Firewalling and
> > > Masquerading.  All seems
> > > > to work fine, but I'm seeing strange entries in my logs.
> > > >
> > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:137
> > > > 192.168.1.255:137 L=78 S=0x00 I=11008 F=0x0000 T=32
> > > > May  2 09:19:37 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=217 S=0x00 I=12032 F=0x0000 T=32
> > > > May  2 09:19:38 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=217 S=0x00 I=13056 F=0x0000 T=32
> > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=244 S=0x00 I=13312 F=0x0000 T=32
> > > > May  2 09:19:39 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=217 S=0x00 I=14080 F=0x0000 T=32
> > > > May  2 09:19:40 gateway kernel: IP fw-in deny eth0 UDP
> > > 192.168.1.2:138
> > > > 192.168.1.255:138 L=217 S=0x00 I=15104 F=0x0000 T=32
> > > >
> > > >
> > > > This IP 192.168.1.2 does not exist on my network.  I also
> > see other
> > > entries
> > > > with other IP addresses.  This has started since I set the
> > > machine up, so
> > > I
> > > > figure it is just a config setting somewhere.  Can anyone
> > > help me out
> > > here?
> > > > port numbers are almost always 137 or 138, and occasionally
> > > 513.  Always
> > > > UDP.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >

--
,-----------------------------------------------------------------------------,
| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -   www.UnderGrid.net  |
|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9     |
|         Public PGP key available via 'finger undrgrid at UnderGrid.net'        |
| Jeremy.Bouse at UnderGrid.net  -  NIC Whois: JB5713  -  undrgrid at UnderGrid.net |
|            /earth is 98% full ... please delete anyone you can.             |
`-----------------------------------------------------------------------------'

--0__=tYpNV8ex3l73HeNg6ejFyMhaRKneZend9WJEiuDYnvGLpMgsNUe78z9o
Content-type: application/octet-stream; 
	name="att1.unk"
Content-Disposition: attachment; filename="att1.unk"
Content-transfer-encoding: base64

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IDIuNi4zYQ0KDQppUUNWQXdV
Qk56SE5qK2FrMTNyb1BacmxBUUhBY3dQL1V5eXhjYzVOdFNWUGpjd2F6TDY2SzdYM0xGV1R5UzJv
DQptdi9CWGNDVFZvMWVxN0h5aUZLTEV2ZVQ1cTVrM3REYnE2dVFjeWhrVkpZcFhSNnZnZFkzYWpr
N21OdHIwNUtCDQpvNGU0UzNVVjI4bjJDSUMvVklqWFVvNFhwcGh5YVZFeC9wTlFCMW1oOUx5Y3B5
UFVLa0lZdjVHckxWQUtZVmRXDQpPVGx2Z2NiLy9DZz0NCj1HOE1XDQotLS0tLUVORCBQR1AgU0lH
TkFUVVJFLS0tLS0NCg0K

--0__=tYpNV8ex3l73HeNg6ejFyMhaRKneZend9WJEiuDYnvGLpMgsNUe78z9o--

More information about the Ale mailing list