Stan A. Rogge enscribed thusly:
> try:
> /sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 138:139 -P udp -W ppp0
This ain't gonna do da job... The syntax is correct, the port range
is just not sufficient to cover netbios (in fact it misses the really good
stuff).
> At 11:17 PM 1/31/99 , Ed Weinberg wrote:
> >On Fri, 09 Oct 1998 20:31:25 -0400, brian beuning
> ><[EMAIL PROTECTED]> wrote:
> >
> >>Sorry for the confusion, the command line was meant as a clue to get
> >>interested people looking in the right direction.
> >>It looks like it needs a -D before 138.
> >>> [root@tower /root]# /sbin/ipfwadm -O -a deny -W ppp0 -P udp 138 139
> >I am trying to block netbios packets from going through masqurade.
> >When I use the above command (with the -D) it gives me the following
> >error message:
> > /sbin/ipfwadm: host/network "138" not found
> > Try `/sbin/ipfwadm -h' for more information.
> >Any ideas?
The syntax changed suggested above it correct. Too bad the exact
values aren't going to accomplish anything for you.
Netbios uses ports 135(tcp/udp) [SMB Rpc], 137(udp) [Netbios Name
Service], and 139(tcp) [Netbios Session Service].
The values you listed are only going to block udp for ports 138 and
139. Netbios doesn't use UDP on 138 and 139. It uses UDP on 137 and 135
and TCP everywhere else (135 and 139). I would strongly recommend for blocking
netbios that you use the following filters:
/sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 135:139 -P udp -W ppp0
/sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 135:139 -P udp -W ppp0
/sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 135:139 -P tcp -W ppp0
/sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 135:139 -P tcp -W ppp0
Since you are masquarding, you can probably get away with only
blocking the outbound stuff... Everyone else, read on.
Block in inbound ports as well as the outbound ports to keep ankle
bitters from screwing with your netbios stuff remotely. Sneaking in a few
"amusing" attacks through these is great fun. There is a published attack
called "snork" where they send a bogus RPC request into port 135 on your
local broadcast address. The return address is port 135 on your local
broadcast address. Each Windows NT box getting a snork packet returns
an error to the source address. The return packet is an RPC packet with
an error code saying that it didn't expect and RPC packet. This, of course,
is also an unexpected RPC packet which gets errors back from all the other
systems. One packet spoofed onto a network results in n**2 packets screaming
back and forth between your "n" windows NT boxes.... And the beat goes on!
Since you are masaqurading, unsolicited inbound packets might not
be a problem for you... Other people looking at these filters might
try them and miss some really good stuff...
> > -- Ed Weinberg,
> > Detel, Inc., An Internet Presence Provider
> > [EMAIL PROTECTED]
> >-
> >To unsubscribe from this list: send the line "unsubscribe linux-diald" in
> >the body of a message to [EMAIL PROTECTED]
> >
> ------------------------------------------------------------------
> Stan A. Rogge (Systems Analyst) mailto:[EMAIL PROTECTED]
> Harmonic Systems Incorporated
> 701 Fourth Avenue South, Suite 320,Minneapolis MN 55415
> Telephone:(612)321-4060 Fax:(612)672-3549
>
> http://www.telsarpc.harmonic.com
> ftp://telsarpc.harmonic.com
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-diald" in
> the body of a message to [EMAIL PROTECTED]
>
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
