Date: Fri, 22 Sep 2000 19:18:30 +0200 From: Willem Brown <willem@brwn.org> To: Eduardo Huertas <eduhuertas@usa.net> Cc: pstapley <pstapley@rapidnet.com>, freebsd-questions@FreeBSD.org Subject: Re: ppp -auto -nat myisp Message-ID: <20000922191830.T50534@snoopy.brwn.org> In-Reply-To: <20000922190543.R50534@snoopy.brwn.org>; from willem@brwn.org on Fri, Sep 22, 2000 at 07:05:43PM %2B0200 References: <20000922150735.23364.qmail@nwcst312.netaddress.usa.net> <20000922190543.R50534@snoopy.brwn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Fri, Sep 22, 2000 at 07:05:43PM +0200, Willem Brown wrote: > Hi, > > Those packets are send by the nmbd process, netbios name server, and > it is part of the samba server. To block them, add rules for > port 137,138 and 139 just like the ones you have to stop dns chatter > (port 54) from bringing the line up. BTW. --------^^ This should be 53, sorry. > > set filter alive 3 deny udp src eq 137 > . > . > . > > > On Fri, Sep 22, 2000 at 09:07:34AM -0600, Eduardo Huertas wrote: > > Hi Pete > > > > I wrote those filters but didn't work out. Bellow is the default section of > > ppp.conf: > > > > default: > > set log Phase Chat LCP IPCP CCP tun command > > set log +tcp/ip > > set device /dev/cuaa0 > > set speed 115200 > > disable lqr > > deny lqr > > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ > > OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" > > set timeout 300 > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > add default HISADDR > > set reconnect 3 20 > > allow users eduardo > > set server +3000 diagnostico > > # > > # If we don't want ICMP and DNS packets to keep the connection alive: > > # > > set filter alive 0 deny icmp > > set filter alive 1 deny udp src eq 53 > > set filter alive 2 deny udp dst eq 53 > > set filter alive 3 permit 0 0 > > # > > # > > # And we don't want ICMPs to cause a dialup: > > set filter dial 0 deny icmp > > set filter dial 1 permit 0 0 > > > > # or any TCP SYN or RST packets (badly closed TCP channels): > > set filter dial 2 deny 0 0 tcp syn finrst > > # DNS lookups > > set filter dial 3 deny udp src eq 53 > > set filter dial 4 deny udp dst eq 53 > > set filter dial 5 permit 0/0 0/0 > > > > # DNS lookups from Windows machines > > set filter dial 6 deny udp src eq 137 # NetBIOS name service > > set filter dial 7 deny udp src eq 138 # NetBIOS datagram service > > set filter dial 8 deny udp src eq 139 # NetBIOS session service > > set filter dial 9 deny udp dst eq 137 # NetBIOS name service > > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service > > set filter dial 11 deny udp dst eq 139 # NetBIOS session service > > > > And here is the log of the unexpectedly dialing: > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 0 > > deny icmp > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 1 > > deny udp src eq 53 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 2 > > deny udp dst eq 53 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 3 > > permit 0 0 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 0 > > deny icmp > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 1 > > permit 0 0 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 2 > > deny 0 0 tcp syn finrst > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 3 > > deny udp src eq 53 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 4 > > deny udp dst eq 53 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 5 > > permit 0/0 0/0 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 6 > > deny udp src eq 137 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 7 > > deny udp src eq 138 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 8 > > deny udp src eq 139 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 9 > > deny udp dst eq 137 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 10 > > deny udp dst eq 138 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 11 > > deny udp dst eq 139 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set redial 10 4 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set phone 03854998 > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authname incep > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authkey ******** > > Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (auto mode). > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP: 205.161.189.1:137 > > ---> 205.161.189.255:137 > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establish > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: closed -> opening > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: 205.161.189.1:137 > > ---> 205.161.189.255:137 > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: Connected! > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening -> dial > > > > What I see is that the packet that triggers the dialing has ip addresses that > > are used for negotiating between the local and the remote system: > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > > > And that these packets appear almost inmediately I run ppp -auto -nat myisp. > > > > Again my question is: > > > > Who is sending this packet and how can I dfilter it? or is there another way? > > > > > > > > "pstapley" <pstapley@rapidnet.com> wrote: > > > They are different, I will try to get to the site again. Here it is, hope > > it > > > helps. > > > > > > http://www.defcon1.org/html/ppp-tips.html > > > > > > One problem that can exist with demand dialing was that Microsoft hosts > > > sometimes do a broadcast then a DNS lookup for servers which don't exist by > > > themselves about every 30mins this will always causes a modem to dial up, > > > these DNS requests MS hosts send go to the DNS server port 53 UDP just like > > > a normal DNS request would but one difference about them is that they come > > > from source port 137-139, normal DNS traffic would have a source port > > > roughly of 1080+ so it makes it easy to block those by putting this in > > > /etc/ppp/ppp.conf > > > > > > > > > set filter dial 2 deny udp src eq 137 # NetBIOS name service > > > set filter dial 3 deny udp src eq 138 # NetBIOS datagram service > > > set filter dial 4 deny udp src eq 139 # NetBIOS session service > > > set filter dial 5 deny udp dst eq 137 # NetBIOS name service > > > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service > > > set filter dial 7 deny udp dst eq 139 # NetBIOS session service > > > > > > > > > ----- Original Message ----- > > > From: "Eduardo Huertas" <eduhuertas@usa.net> > > > To: "pstapley" <pstapley@rapidnet.com> > > > Sent: Thursday, September 21, 2000 4:02 PM > > > Subject: Re: ppp -auto -nat myisp > > > > > > > > > ____________________________________________________________________ > > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > Best Regards > Willem Brown > -- > /* =============================================================== */ > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. */ > /* =============================================================== */ > > Another dream that failed. There's nothing sadder. > -- Kirk, "This side of Paradise", stardate 3417.3 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > Best Regards Willem Brown -- /* =============================================================== */ /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. */ /* =============================================================== */ Power is danger. -- The Centurion, "Balance of Terror", stardate 1709.2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922191830.T50534>