Date: 22 Sep 00 15:16:36 CST From: Eduardo Huertas <eduhuertas@usa.net> To: Willem Brown <willem@brwn.org> Cc: pstapley <pstapley@rapidnet.com>, freebsd-questions@FreeBSD.org Subject: Re: [Re: ppp -auto -nat myisp] Message-ID: <20000922211636.20341.qmail@nwcst315.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
EXCELLENT! Everything is super OK now. Thanks a lot Willem and Pete. Se los agradezco mucho :-) -edu- Willem Brown <willem@brwn.org> wrote: > Hi, > = > I should have look further down a bit. = > = > On Fri, Sep 22, 2000 at 01:23:45PM -0600, Eduardo Huertas wrote: > > Hi again, > > = > > And didn't work again! > > = > > These are the rules... > > = > > # If we don't want ICMP and DNS packets to keep the connection alive:= > > # > > set filter alive 0 deny icmp > > set filter alive 1 deny udp src eq 53 > > set filter alive 2 deny udp dst eq 53 > > = > > # Blocking from nmbd process > > set filter alive 3 deny udp src eq 137 > > set filter alive 4 deny udp src eq 138 > > set filter alive 5 deny udp src eq 139 > > set filter alive 6 permit 0 0 > > = > > # > > # > > # And we don't want ICMPs to cause a dialup: > > set filter dial 0 deny icmp > > set filter dial 1 permit 0 0 > > = > > # or any TCP SYN or RST packets (badly closed TCP channels): > > set filter dial 2 deny 0 0 tcp syn finrst > > # DNS lookups > > set filter dial 3 deny udp src eq 53 > > set filter dial 4 deny udp dst eq 53 > > set filter dial 5 permit 0/0 0/0 > > = > > # DNS lookups from Windows machines > > set filter dial 6 deny udp src eq 137 # NetBIOS name service = > > set filter dial 7 deny udp src eq 138 # NetBIOS datagram service= = > > set filter dial 8 deny udp src eq 139 # NetBIOS session service = > > set filter dial 9 deny udp dst eq 137 # NetBIOS name service = > > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram servic= e = > > set filter dial 11 deny udp dst eq 139 # NetBIOS session service= = > = > These rules should also be moved so that they occur before the = > "set filter dial 5 permit" rule. This should stop them from initiating = the > connection. > = > > = > > = > > = > > And this is the log: > > = > > Sep 22 13:16:02 BSDincep ppp[1658]: tun0: Phase: PPP Started (auto mo= de). > > Sep 22 13:16:05 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 192.168.1.100:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:16:15 BSDincep last message repeated 13 times > > Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 192.168.1.100:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:16:24 BSDincep last message repeated 6 times > > Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:137 > > ---> 205.161.189.1:137 - NO KEEPA > > LIVE > > Sep 22 13:17:24 BSDincep ppp[1658]: tun0: TCP/IP: DIAL UDP: 205.161.189.1:137 > > ---> 205.161.189.255:137 - NO K > > EEPALIVE > > Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: bundle: Establish > > Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: deflink: closed -> opening > > Sep 22 13:17:24 BSDincep ppp[1658]: tun0: TCP/IP: OUT UDP: 205.161.189.1:137 > > ---> 205.161.189.255:137 - NO KE > > EPALIVE > > Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: deflink: Connected! > > = > > = > > I really appreciate your help! > > = > > = > > = > > Willem Brown <willem@brwn.org> wrote: > > > Hi, > > > = > > > On Fri, Sep 22, 2000 at 11:43:14AM -0600, Eduardo Huertas wrote: > > > > Hi, > > > > Thank you for your suggestion, but still doesn't work :( > > > > = > > > > Now I have this rules: > > > > = > > > > # If we don't want ICMP and DNS packets to keep the connection al= ive: > > > > # > > > > set filter alive 0 deny icmp > > > > set filter alive 1 deny udp src eq 53 > > > > set filter alive 2 deny udp dst eq 53 > > > > set filter alive 3 permit 0 0 > > > > = > > > > # Blocking from nmbd process > > > > set filter alive 4 deny udp src eq 137 > > > > set filter alive 5 deny udp src eq 138 > > > > set filter alive 6 deny udp src eq 139 > > > = > > > These rules should be inserted before the "set filter alive 3 permi= t" rule. > > > = > > > > # > > > > # > > > > # And we don't want ICMPs to cause a dialup: > > > > set filter dial 0 deny icmp > > > > set filter dial 1 permit 0 0 > > > > = > > > > # or any TCP SYN or RST packets (badly closed TCP channels): > > > > set filter dial 2 deny 0 0 tcp syn finrst > > > > # DNS lookups > > > > set filter dial 3 deny udp src eq 53 > > > > set filter dial 4 deny udp dst eq 53 > > > > set filter dial 5 permit 0/0 0/0 > > > > = > > > > # DNS lookups from Windows machines > > > > set filter dial 6 deny udp src eq 137 # NetBIOS name service= = > > > > set filter dial 7 deny udp src eq 138 # NetBIOS datagram ser= vice > > > > set filter dial 8 deny udp src eq 139 # NetBIOS session serv= ice = > > > > set filter dial 9 deny udp dst eq 137 # NetBIOS name service= = > > > > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram se= rvice > > > > set filter dial 11 deny udp dst eq 139 # NetBIOS session ser= vice > > > > = > > > > -edu- > > > > = > > > > Willem Brown <willem@brwn.org> wrote: > > > > > Hi, > > > > > = > > > > > On Fri, Sep 22, 2000 at 07:05:43PM +0200, Willem Brown wrote: > > > > > > Hi, > > > > > > = > > > > > > Those packets are send by the nmbd process, netbios name serv= er, and > > > > > > it is part of the samba server. To block them, add rules for= > > > > > > port 137,138 and 139 just like the ones you have to stop dns chatter > > > > > > (port 54) from bringing the line up. BTW. > > > > > --------^^ > > > > > This should be 53, sorry. > > > > > = > > > > > > = > > > > > > set filter alive 3 deny udp src eq 137 > > > > > > . > > > > > > . > > > > > > . > > > > > > = > > > > > > = > > > > > > On Fri, Sep 22, 2000 at 09:07:34AM -0600, Eduardo Huertas wro= te: > > > > > > > Hi Pete > > > > > > > = > > > > > > > I wrote those filters but didn't work out. Bellow is the default > > > > section of > > > > > > > ppp.conf: > > > > > > > = > > > > > > > default: > > > > > > > set log Phase Chat LCP IPCP CCP tun command > > > > > > > set log +tcp/ip > > > > > > > set device /dev/cuaa0 > > > > > > > set speed 115200 > > > > > > > disable lqr > > > > > > > deny lqr > > > > > > > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT = \ > > > > > > > OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT= " > > > > > > > set timeout 300 > > > > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > > > > > > add default HISADDR > > > > > > > set reconnect 3 20 > > > > > > > allow users eduardo > > > > > > > set server +3000 diagnostico > > > > > > > # > > > > > > > # If we don't want ICMP and DNS packets to keep the connect= ion > > alive: > > > > > > > # > > > > > > > set filter alive 0 deny icmp > > > > > > > set filter alive 1 deny udp src eq 53 > > > > > > > set filter alive 2 deny udp dst eq 53 > > > > > > > set filter alive 3 permit 0 0 > > > > > > > # > > > > > > > # > > > > > > > # And we don't want ICMPs to cause a dialup: > > > > > > > set filter dial 0 deny icmp > > > > > > > set filter dial 1 permit 0 0 > > > > > > > = > > > > > > > # or any TCP SYN or RST packets (badly closed TCP channels)= : > > > > > > > set filter dial 2 deny 0 0 tcp syn finrst > > > > > > > # DNS lookups > > > > > > > set filter dial 3 deny udp src eq 53 > > > > > > > set filter dial 4 deny udp dst eq 53 > > > > > > > set filter dial 5 permit 0/0 0/0 > > > > > > > = > > > > > > > # DNS lookups from Windows machines > > > > > > > set filter dial 6 deny udp src eq 137 # NetBIOS name service = > > > > > > > set filter dial 7 deny udp src eq 138 # NetBIOS datagr= am > > service = > > > > > > > set filter dial 8 deny udp src eq 139 # NetBIOS sessio= n service > > = > > > > > > > set filter dial 9 deny udp dst eq 137 # NetBIOS name service = > > > > > > > set filter dial 10 deny udp dst eq 138 # NetBIOS datag= ram > > service = > > > > > > > set filter dial 11 deny udp dst eq 139 # NetBIOS sessi= on > > service = > > > > > > > = > > > > > > > And here is the log of the unexpectedly dialing: > > > > > > > = > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > alive 0 > > > > > > > deny icmp > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > alive 1 > > > > > > > deny udp src eq 53 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > alive 2 > > > > > > > deny udp dst eq 53 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > alive 3 > > > > > > > permit 0 0 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 0 > > > > > > > deny icmp > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 1 > > > > > > > permit 0 0 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 2 > > > > > > > deny 0 0 tcp syn finrst > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 3 > > > > > > > deny udp src eq 53 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 4 > > > > > > > deny udp dst eq 53 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 5 > > > > > > > permit 0/0 0/0 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 6 > > > > > > > deny udp src eq 137 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 7 > > > > > > > deny udp src eq 138 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 8 > > > > > > > deny udp src eq 139 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 9 > > > > > > > deny udp dst eq 137 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 10 > > > > > > > deny udp dst eq 138 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default:= set > > filter > > > > dial 11 > > > > > > > deny udp dst eq 139 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: se= t redial > > 10 > > > > 4 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: se= t phone > > > > 03854998 > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: se= t > > authname > > > > incep > > > > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: se= t > > authkey > > > > ******** > > > > > > > Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Starte= d (auto > > > > mode). > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP:= > > > > 205.161.189.1:137 > > > > > > > ---> 205.161.189.255:137 > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establish > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: c= losed -> > > > > opening > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: > > > > 205.161.189.1:137 > > > > > > > ---> 205.161.189.255:137 > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: > > Connected! > > > > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening > > -> > > > > dial = > > > > > > > = > > > > > > > What I see is that the packet that triggers the dialing has= ip > > addresses > > > > that > > > > > > > are used for negotiating between the local and the remote system: > > > > > > > = > > > > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > > > > > > = > > > > > > > And that these packets appear almost inmediately I run ppp -auto > > -nat > > > > myisp. > > > > > > > = > > > > > > > Again my question is: > > > > > > > = > > > > > > > Who is sending this packet and how can I dfilter it? or is there > > another > > > > way? > > > > > > > = > > > > > > > = > > > > > > > = > > > > > > > "pstapley" <pstapley@rapidnet.com> wrote: > > > > > > > > They are different, I will try to get to the site again. = Here it > > is, > > > > hope > > > > > > > it > > > > > > > > helps. > > > > > > > > = > > > > > > > > http://www.defcon1.org/html/ppp-tips.html > > > > > > > > = > > > > > > > > One problem that can exist with demand dialing was that Microsoft > > > > hosts > > > > > > > > sometimes do a broadcast then a DNS lookup for servers wh= ich > > don't > > > > exist by > > > > > > > > themselves about every 30mins this will always causes a m= odem to > > dial > > > > up, > > > > > > > > these DNS requests MS hosts send go to the DNS server por= t 53 UDP > > just > > > > like > > > > > > > > a normal DNS request would but one difference about them = is that > > they > > > > come > > > > > > > > from source port 137-139, normal DNS traffic would have a= source > > port > > > > > > > > roughly of 1080+ so it makes it easy to block those by putting > > this > > > > in > > > > > > > > /etc/ppp/ppp.conf > > > > > > > > = > > > > > > > > = > > > > > > > > set filter dial 2 deny udp src eq 137 # NetBIOS name serv= ice > > > > > > > > set filter dial 3 deny udp src eq 138 # NetBIOS datagram service > > > > > > > > set filter dial 4 deny udp src eq 139 # NetBIOS session service > > > > > > > > set filter dial 5 deny udp dst eq 137 # NetBIOS name serv= ice > > > > > > > > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service > > > > > > > > set filter dial 7 deny udp dst eq 139 # NetBIOS session service > > > > > > > > = > > > > > > > > = > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Eduardo Huertas" <eduhuertas@usa.net> > > > > > > > > To: "pstapley" <pstapley@rapidnet.com> > > > > > > > > Sent: Thursday, September 21, 2000 4:02 PM > > > > > > > > Subject: Re: ppp -auto -nat myisp > > > > > > > > = > > > > > > > = > > > > > > > = > > > > > > > > > ____________________________________________________________________ > > > > > > > Get free email and a permanent address at > > > > http://www.netaddress.com/?N=3D1 > > > > > > > = > > > > > > > = > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > > > with "unsubscribe freebsd-questions" in the body of the mes= sage > > > > > > > = > > > > > > = > > > > > > Best Regards > > > > > > Willem Brown > > > > > > -- = > > > > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > */ > > > > > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours= =2E = > > */ > > > > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > */ > > > > > > = > > > > > > Another dream that failed. There's nothing sadder. > > > > > > -- Kirk, "This side of Paradise", stardate 3417.3 > > > > > > = > > > > > > = > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > > with "unsubscribe freebsd-questions" in the body of the messa= ge > > > > > > = > > > > > = > > > > > Best Regards > > > > > Willem Brown > > > > > -- = > > > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. = = */ > > > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > > > = > > > > > Power is danger. > > > > > -- The Centurion, "Balance of Terror", stardate 1709.2 > > > > > = > > > > > = > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-questions" in the body of the message= > > > > = > > > > = > > > > _________________________________________________________________= ___ > > > > Get free email and a permanent address at http://www.netaddress.com/?N=3D1 > > > = > > > Best Regards > > > Willem Brown > > > -- = > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. = */ > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > = > > > Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Weste= rn > > > Civilization? > > > Gandhi: I think it would be a good idea. > > > = > > > = > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > = > > = > > ____________________________________________________________________ > > Get free email and a permanent address at http://www.netaddress.com/?= N=3D1 > = > -- = > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. */ > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > = > There are always alternatives. > -- Spock, "The Galileo Seven", stardate 2822.3 > = > = > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922211636.20341.qmail>