Date: 22 Sep 00 09:07:34 CST From: Eduardo Huertas <eduhuertas@usa.net> To: "pstapley" <pstapley@rapidnet.com>, "Eduardo Huertas" <eduhuertas@usa.net>"pstapley" <pstapley@rapidnet.com>, "Eduardo Huertas" <eduhuertas@usa.net> Cc: freebsd-questions@FreeBSD.org Subject: Re: ppp -auto -nat myisp Message-ID: <20000922150735.23364.qmail@nwcst312.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi Pete I wrote those filters but didn't work out. Bellow is the default section= of ppp.conf: default: set log Phase Chat LCP IPCP CCP tun command set log +tcp/ip set device /dev/cuaa0 set speed 115200 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set timeout 300 set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 add default HISADDR set reconnect 3 20 allow users eduardo set server +3000 diagnostico # # If we don't want ICMP and DNS packets to keep the connection alive: # set filter alive 0 deny icmp set filter alive 1 deny udp src eq 53 set filter alive 2 deny udp dst eq 53 set filter alive 3 permit 0 0 # # # And we don't want ICMPs to cause a dialup: set filter dial 0 deny icmp set filter dial 1 permit 0 0 # or any TCP SYN or RST packets (badly closed TCP channels): set filter dial 2 deny 0 0 tcp syn finrst # DNS lookups set filter dial 3 deny udp src eq 53 set filter dial 4 deny udp dst eq 53 set filter dial 5 permit 0/0 0/0 # DNS lookups from Windows machines set filter dial 6 deny udp src eq 137 # NetBIOS name service = set filter dial 7 deny udp src eq 138 # NetBIOS datagram service = set filter dial 8 deny udp src eq 139 # NetBIOS session service = set filter dial 9 deny udp dst eq 137 # NetBIOS name service = set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service = set filter dial 11 deny udp dst eq 139 # NetBIOS session service = And here is the log of the unexpectedly dialing: Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al= ive 0 deny icmp Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al= ive 1 deny udp src eq 53 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al= ive 2 deny udp dst eq 53 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter al= ive 3 permit 0 0 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 0 deny icmp Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 1 permit 0 0 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 2 deny 0 0 tcp syn finrst Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 3 deny udp src eq 53 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 4 deny udp dst eq 53 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 5 permit 0/0 0/0 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 6 deny udp src eq 137 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 7 deny udp src eq 138 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 8 deny udp src eq 139 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 9 deny udp dst eq 137 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 10 deny udp dst eq 138 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter di= al 11 deny udp dst eq 139 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set redial 10 4 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set phone 038549= 98 Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authname inc= ep Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authkey ****= **** Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (auto mode).= Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP: 205.161.189.1= :137 ---> 205.161.189.255:137 Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establish Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: closed -> openi= ng Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: 205.161.189.1:= 137 ---> 205.161.189.255:137 Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: Connected! Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening -> dial= = What I see is that the packet that triggers the dialing has ip addresses = that are used for negotiating between the local and the remote system: set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0 And that these packets appear almost inmediately I run ppp -auto -nat myi= sp. Again my question is: Who is sending this packet and how can I dfilter it? or is there another = way? "pstapley" <pstapley@rapidnet.com> wrote: > They are different, I will try to get to the site again. Here it is, ho= pe it > helps. > = > http://www.defcon1.org/html/ppp-tips.html > = > One problem that can exist with demand dialing was that Microsoft hosts= > sometimes do a broadcast then a DNS lookup for servers which don't exis= t by > themselves about every 30mins this will always causes a modem to dial u= p, > these DNS requests MS hosts send go to the DNS server port 53 UDP just = like > a normal DNS request would but one difference about them is that they c= ome > from source port 137-139, normal DNS traffic would have a source port > roughly of 1080+ so it makes it easy to block those by putting this in > /etc/ppp/ppp.conf > = > = > set filter dial 2 deny udp src eq 137 # NetBIOS name service > set filter dial 3 deny udp src eq 138 # NetBIOS datagram service > set filter dial 4 deny udp src eq 139 # NetBIOS session service > set filter dial 5 deny udp dst eq 137 # NetBIOS name service > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service > set filter dial 7 deny udp dst eq 139 # NetBIOS session service > = > = > ----- Original Message ----- > From: "Eduardo Huertas" <eduhuertas@usa.net> > To: "pstapley" <pstapley@rapidnet.com> > Sent: Thursday, September 21, 2000 4:02 PM > Subject: Re: ppp -auto -nat myisp > = ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922150735.23364.qmail>