/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Bob Fowler wrote: > We have recently encountered a problem that seems to be indirectly related > to IP MASQ. We have a Debian box running kernel 2.2.17 which connects to > the Internet through a cable modem. Internally we use IP masquerading with > private addresses. > > We routinely connect to our Web servers over the Internet through Windows > Networking (SMB) (... I know... It isn't very secure.). Until a few weeks > ago the servers were running NT 4.0 and everything was fine. However, over > the holidays, we upgraded our server to Win2K and the problems began. The > problem only occurs when connecting to a Win2K machine from a Win2K machine. > > I will provide a little bit of background, since this is a *nix oriented > mailing list... Microsoft, in all of their wisdom (sarcasm implied...), has > decided to change how Windows networking will work with Win2K. No longer > will Windows use netbios over TCP... gone are the familiar ports 137, 138 & > 139 (netbios-ns, netbios-dgm & netbios-ssn). Win2K is now dual-mode and > will first try to connect using SMB directly on TCP on port 445 as well as > the old for backward compatibility. See MS KB Article Q204279 > (http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP) for more > details. > > The problem is basically a random loss of connection for the network shares > in use... The developers will be making changes or copy a few files over > only to have it fail after the first few. It does work as it should > periodically. This problem only exists while the sessions are being > masqueraded. I have given several of the developers public IP's and > connected them directly to the cable modem and the problem goes away. I > should also note that I have no problems with Masquerading itself, it works > great for everything else. > > I fear that this problem may need a radical solution, such as a new module > being created, but I would appreciate any suggestions. > > All hope is not lost however... While writing this I realized I could force > Win2K to use the backward compatibility mode by blocking port 445. I have > added the following line to my init script: > /sbin/ipchains -A input -p TCP -s 192.168.3.0/24 -d 0/0 445 -j DENY maybe what you needed to do was port forward 445 somewhere (but where?) if the external win2k host was initiating the connections. if so, a new module probably is needed so stick with your current workaround until someone feels the need to write one. raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
