Date: 22 Sep 00 09:07:34 CST From: Eduardo Huertas <eduhuertas@usa.net> To: "pstapley" <pstapley@rapidnet.com>, "Eduardo Huertas" <eduhuertas@usa.net>"pstapley" <pstapley@rapidnet.com>, "Eduardo Huertas" <eduhuertas@usa.net> Cc: freebsd-questions@FreeBSD.org Subject: Re: ppp -auto -nat myisp Message-ID: <20000922150735.23364.qmail@nwcst312.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi Pete
I wrote those filters but didn't work out. Bellow is the default section=
of
ppp.conf:
default:
set log Phase Chat LCP IPCP CCP tun command
set log +tcp/ip
set device /dev/cuaa0
set speed 115200
disable lqr
deny lqr
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 300
set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
add default HISADDR
set reconnect 3 20
allow users eduardo
set server +3000 diagnostico
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 permit 0 0
#
#
# And we don't want ICMPs to cause a dialup:
set filter dial 0 deny icmp
set filter dial 1 permit 0 0
# or any TCP SYN or RST packets (badly closed TCP channels):
set filter dial 2 deny 0 0 tcp syn finrst
# DNS lookups
set filter dial 3 deny udp src eq 53
set filter dial 4 deny udp dst eq 53
set filter dial 5 permit 0/0 0/0
# DNS lookups from Windows machines
set filter dial 6 deny udp src eq 137 # NetBIOS name service =
set filter dial 7 deny udp src eq 138 # NetBIOS datagram service =
set filter dial 8 deny udp src eq 139 # NetBIOS session service =
set filter dial 9 deny udp dst eq 137 # NetBIOS name service =
set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service =
set filter dial 11 deny udp dst eq 139 # NetBIOS session service =
And here is the log of the unexpectedly dialing:
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al=
ive 0
deny icmp
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al=
ive 1
deny udp src eq 53
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al=
ive 2
deny udp dst eq 53
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al=
ive 3
permit 0 0
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 0
deny icmp
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 1
permit 0 0
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 2
deny 0 0 tcp syn finrst
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 3
deny udp src eq 53
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 4
deny udp dst eq 53
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 5
permit 0/0 0/0
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 6
deny udp src eq 137
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 7
deny udp src eq 138
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 8
deny udp src eq 139
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 9
deny udp dst eq 137
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 10
deny udp dst eq 138
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di=
al 11
deny udp dst eq 139
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set redial 10 4
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set phone 038549=
98
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authname inc=
ep
Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authkey ****=
****
Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (auto mode).=
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP: 205.161.189.1=
:137
---> 205.161.189.255:137
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establish
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: closed -> openi=
ng
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: 205.161.189.1:=
137
---> 205.161.189.255:137
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: Connected!
Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening -> dial=
=
What I see is that the packet that triggers the dialing has ip addresses =
that
are used for negotiating between the local and the remote system:
set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
And that these packets appear almost inmediately I run ppp -auto -nat myi=
sp.
Again my question is:
Who is sending this packet and how can I dfilter it? or is there another =
way?
"pstapley" <pstapley@rapidnet.com> wrote:
> They are different, I will try to get to the site again. Here it is, ho=
pe
it
> helps.
> =
> http://www.defcon1.org/html/ppp-tips.html
> =
> One problem that can exist with demand dialing was that Microsoft hosts=
> sometimes do a broadcast then a DNS lookup for servers which don't exis=
t by
> themselves about every 30mins this will always causes a modem to dial u=
p,
> these DNS requests MS hosts send go to the DNS server port 53 UDP just =
like
> a normal DNS request would but one difference about them is that they c=
ome
> from source port 137-139, normal DNS traffic would have a source port
> roughly of 1080+ so it makes it easy to block those by putting this in
> /etc/ppp/ppp.conf
> =
> =
> set filter dial 2 deny udp src eq 137 # NetBIOS name service
> set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
> set filter dial 4 deny udp src eq 139 # NetBIOS session service
> set filter dial 5 deny udp dst eq 137 # NetBIOS name service
> set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
> set filter dial 7 deny udp dst eq 139 # NetBIOS session service
> =
> =
> ----- Original Message -----
> From: "Eduardo Huertas" <eduhuertas@usa.net>
> To: "pstapley" <pstapley@rapidnet.com>
> Sent: Thursday, September 21, 2000 4:02 PM
> Subject: Re: ppp -auto -nat myisp
> =
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=3D=
1
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922150735.23364.qmail>