Date: 22 Sep 00 12:20:04 CST From: Eduardo Huertas <eduhuertas@usa.net> To: Willem Brown <willem@brwn.org> Cc: pstapley <pstapley@rapidnet.com>, freebsd-questions@FreeBSD.org Subject: Re: ppp -auto -nat myisp Message-ID: <20000922182004.5142.qmail@www0a.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Eduardo Huertas <eduhuertas@usa.net> wrote: > Hi, > Thank you for your suggestion, but still doesn't work :( > = > Now I have this rules: > = > # If we don't want ICMP and DNS packets to keep the connection alive: > # > set filter alive 0 deny icmp > set filter alive 1 deny udp src eq 53 > set filter alive 2 deny udp dst eq 53 > set filter alive 3 permit 0 0 > = > # Blocking from nmbd process > set filter alive 4 deny udp src eq 137 > set filter alive 5 deny udp src eq 138 > set filter alive 6 deny udp src eq 139 > # > # > # And we don't want ICMPs to cause a dialup: > set filter dial 0 deny icmp > set filter dial 1 permit 0 0 > = > # or any TCP SYN or RST packets (badly closed TCP channels): > set filter dial 2 deny 0 0 tcp syn finrst > # DNS lookups > set filter dial 3 deny udp src eq 53 > set filter dial 4 deny udp dst eq 53 > set filter dial 5 permit 0/0 0/0 > = > # DNS lookups from Windows machines > set filter dial 6 deny udp src eq 137 # NetBIOS name service = > set filter dial 7 deny udp src eq 138 # NetBIOS datagram service = > set filter dial 8 deny udp src eq 139 # NetBIOS session service = > set filter dial 9 deny udp dst eq 137 # NetBIOS name service = > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service = > set filter dial 11 deny udp dst eq 139 # NetBIOS session service = > = > -edu- > = > Willem Brown <willem@brwn.org> wrote: > > Hi, > > = > > On Fri, Sep 22, 2000 at 07:05:43PM +0200, Willem Brown wrote: > > > Hi, > > > = > > > Those packets are send by the nmbd process, netbios name server, an= d > > > it is part of the samba server. To block them, add rules for > > > port 137,138 and 139 just like the ones you have to stop dns chatte= r > > > (port 54) from bringing the line up. BTW. > > --------^^ > > This should be 53, sorry. > > = > > > = > > > set filter alive 3 deny udp src eq 137 > > > . > > > . > > > . > > > = > > > = > > > On Fri, Sep 22, 2000 at 09:07:34AM -0600, Eduardo Huertas wrote: > > > > Hi Pete > > > > = > > > > I wrote those filters but didn't work out. Bellow is the default= > section of > > > > ppp.conf: > > > > = > > > > default: > > > > set log Phase Chat LCP IPCP CCP tun command > > > > set log +tcp/ip > > > > set device /dev/cuaa0 > > > > set speed 115200 > > > > disable lqr > > > > deny lqr > > > > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ > > > > OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" > > > > set timeout 300 > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > > > add default HISADDR > > > > set reconnect 3 20 > > > > allow users eduardo > > > > set server +3000 diagnostico > > > > # > > > > # If we don't want ICMP and DNS packets to keep the connection al= ive: > > > > # > > > > set filter alive 0 deny icmp > > > > set filter alive 1 deny udp src eq 53 > > > > set filter alive 2 deny udp dst eq 53 > > > > set filter alive 3 permit 0 0 > > > > # > > > > # > > > > # And we don't want ICMPs to cause a dialup: > > > > set filter dial 0 deny icmp > > > > set filter dial 1 permit 0 0 > > > > = > > > > # or any TCP SYN or RST packets (badly closed TCP channels): > > > > set filter dial 2 deny 0 0 tcp syn finrst > > > > # DNS lookups > > > > set filter dial 3 deny udp src eq 53 > > > > set filter dial 4 deny udp dst eq 53 > > > > set filter dial 5 permit 0/0 0/0 > > > > = > > > > # DNS lookups from Windows machines > > > > set filter dial 6 deny udp src eq 137 # NetBIOS name service= = > > > > set filter dial 7 deny udp src eq 138 # NetBIOS datagram ser= vice > > > > set filter dial 8 deny udp src eq 139 # NetBIOS session serv= ice = > > > > set filter dial 9 deny udp dst eq 137 # NetBIOS name service= = > > > > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram se= rvice > > > > set filter dial 11 deny udp dst eq 139 # NetBIOS session ser= vice > > > > = > > > > And here is the log of the unexpectedly dialing: > > > > = > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > alive 0 > > > > deny icmp > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > alive 1 > > > > deny udp src eq 53 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > alive 2 > > > > deny udp dst eq 53 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > alive 3 > > > > permit 0 0 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 0 > > > > deny icmp > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 1 > > > > permit 0 0 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 2 > > > > deny 0 0 tcp syn finrst > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 3 > > > > deny udp src eq 53 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 4 > > > > deny udp dst eq 53 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 5 > > > > permit 0/0 0/0 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 6 > > > > deny udp src eq 137 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 7 > > > > deny udp src eq 138 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 8 > > > > deny udp src eq 139 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 9 > > > > deny udp dst eq 137 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 10 > > > > deny udp dst eq 138 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter > dial 11 > > > > deny udp dst eq 139 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set redi= al 10 > 4 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set phon= e > 03854998 > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set auth= name > incep > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set auth= key > ******** > > > > Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (aut= o > mode). > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP: > 205.161.189.1:137 > > > > ---> 205.161.189.255:137 > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establis= h > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: closed = -> > opening > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: > 205.161.189.1:137 > > > > ---> 205.161.189.255:137 > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: Connect= ed! > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening= -> > dial = > > > > = > > > > What I see is that the packet that triggers the dialing has ip addresses > that > > > > are used for negotiating between the local and the remote system:= > > > > = > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 > > > > = > > > > And that these packets appear almost inmediately I run ppp -auto = -nat > myisp. > > > > = > > > > Again my question is: > > > > = > > > > Who is sending this packet and how can I dfilter it? or is there another > way? > > > > = > > > > = > > > > = > > > > "pstapley" <pstapley@rapidnet.com> wrote: > > > > > They are different, I will try to get to the site again. Here i= t is, > hope > > > > it > > > > > helps. > > > > > = > > > > > http://www.defcon1.org/html/ppp-tips.html > > > > > = > > > > > One problem that can exist with demand dialing was that Microso= ft > hosts > > > > > sometimes do a broadcast then a DNS lookup for servers which do= n't > exist by > > > > > themselves about every 30mins this will always causes a modem t= o dial > up, > > > > > these DNS requests MS hosts send go to the DNS server port 53 U= DP just > like > > > > > a normal DNS request would but one difference about them is tha= t they > come > > > > > from source port 137-139, normal DNS traffic would have a sourc= e port > > > > > roughly of 1080+ so it makes it easy to block those by putting = this > in > > > > > /etc/ppp/ppp.conf > > > > > = > > > > > = > > > > > set filter dial 2 deny udp src eq 137 # NetBIOS name service > > > > > set filter dial 3 deny udp src eq 138 # NetBIOS datagram servic= e > > > > > set filter dial 4 deny udp src eq 139 # NetBIOS session service= > > > > > set filter dial 5 deny udp dst eq 137 # NetBIOS name service > > > > > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram servic= e > > > > > set filter dial 7 deny udp dst eq 139 # NetBIOS session service= > > > > > = > > > > > = > > > > > ----- Original Message ----- > > > > > From: "Eduardo Huertas" <eduhuertas@usa.net> > > > > > To: "pstapley" <pstapley@rapidnet.com> > > > > > Sent: Thursday, September 21, 2000 4:02 PM > > > > > Subject: Re: ppp -auto -nat myisp > > > > > = > > > > = > > > > = > > > > _________________________________________________________________= ___ > > > > Get free email and a permanent address at > http://www.netaddress.com/?N=3D1 > > > > = > > > > = > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-questions" in the body of the message > > > > = > > > = > > > Best Regards > > > Willem Brown > > > -- = > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. = */ > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > > = > > > Another dream that failed. There's nothing sadder. > > > -- Kirk, "This side of Paradise", stardate 3417.3 > > > = > > > = > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > = > > = > > Best Regards > > Willem Brown > > -- = > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. *= / > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ > > = > > Power is danger. > > -- The Centurion, "Balance of Terror", stardate 1709.2 > > = > > = > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > = > = > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922182004.5142.qmail>