Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Sep 2000 19:05:43 +0200
From:      Willem Brown <willem@brwn.org>
To:        Eduardo Huertas <eduhuertas@usa.net>
Cc:        pstapley <pstapley@rapidnet.com>, freebsd-questions@FreeBSD.org
Subject:   Re: ppp -auto -nat myisp
Message-ID:  <20000922190543.R50534@snoopy.brwn.org>
In-Reply-To: <20000922150735.23364.qmail@nwcst312.netaddress.usa.net>; from eduhuertas@usa.net on Fri, Sep 22, 2000 at 09:07:34AM -0600
References:  <20000922150735.23364.qmail@nwcst312.netaddress.usa.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

Those packets are send by the nmbd process, netbios name server, and
it is part of the samba server.  To block them, add rules for
port 137,138 and 139 just like the ones you have to stop dns chatter
(port 54) from bringing the line up. BTW.

set filter alive 3 deny udp src eq 137
.
.
.


On Fri, Sep 22, 2000 at 09:07:34AM -0600, Eduardo Huertas wrote:
> Hi Pete
> 
> I wrote those filters but didn't work out.  Bellow is the default section of
> ppp.conf:
> 
> default:
>  set log Phase Chat LCP IPCP CCP tun command
>  set log +tcp/ip
>  set device /dev/cuaa0
>  set speed 115200
>  disable lqr
>  deny lqr
>  set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
>            OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
>  set timeout 300
>  set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
>  add default HISADDR
>  set reconnect 3 20
>  allow users eduardo
>  set server +3000 diagnostico
> #
> # If we don't want ICMP and DNS packets to keep the connection alive:
> #
>     set filter alive 0 deny icmp
>     set filter alive 1 deny udp src eq 53
>     set filter alive 2 deny udp dst eq 53
>     set filter alive 3 permit 0 0
> #
> #
> # And we don't want ICMPs to cause a dialup:
>     set filter dial 0 deny icmp
>     set filter dial 1 permit 0 0
> 
> # or any TCP SYN or RST packets (badly closed TCP channels):
>      set filter dial 2 deny 0 0 tcp syn finrst
> # DNS lookups
>      set filter dial 3 deny udp src eq 53
>      set filter dial 4 deny udp dst eq 53
>      set filter dial 5 permit 0/0 0/0
> 
> # DNS lookups from Windows machines
>      set filter dial 6 deny udp src eq 137 # NetBIOS name service 
>      set filter dial 7 deny udp src eq 138 # NetBIOS datagram service 
>      set filter dial 8 deny udp src eq 139 # NetBIOS session service 
>      set filter dial 9 deny udp dst eq 137 # NetBIOS name service 
>      set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service 
>      set filter dial 11 deny udp dst eq 139 # NetBIOS session service 
> 
> And here is the log of the unexpectedly dialing:
> 
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 0
> deny icmp
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 1
> deny udp src eq 53
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 2
> deny udp dst eq 53
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter alive 3
> permit 0 0
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 0
> deny icmp
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 1
> permit 0 0
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 2
> deny 0 0 tcp syn finrst
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 3
> deny udp src eq 53
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 4
> deny udp dst eq 53
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 5
> permit 0/0 0/0
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 6
> deny udp src eq 137
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 7
> deny udp src eq 138
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 8
> deny udp src eq 139
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 9
> deny udp dst eq 137
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 10
> deny udp dst eq 138
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set filter dial 11
> deny udp dst eq 139
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set redial 10 4
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set phone 03854998
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authname incep
> Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set authkey ********
> Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (auto mode).
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP: 205.161.189.1:137
> ---> 205.161.189.255:137
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establish
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: closed -> opening
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP: 205.161.189.1:137
> ---> 205.161.189.255:137
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: Connected!
> Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: opening -> dial 
> 
> What I see is that the packet that triggers the dialing has ip addresses that
> are used for negotiating between the local and the remote system:
> 
> set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
> 
> And that these packets appear almost inmediately I run ppp -auto -nat myisp.
> 
> Again my question is:
> 
> Who is sending this packet and how can I dfilter it? or is there another way?
> 
> 
> 
> "pstapley" <pstapley@rapidnet.com> wrote:
> > They are different, I will try to get to the site again. Here it is, hope
> it
> > helps.
> > 
> > http://www.defcon1.org/html/ppp-tips.html
> > 
> > One problem that can exist with demand dialing was that Microsoft hosts
> > sometimes do a broadcast then a DNS lookup for servers which don't exist by
> > themselves about every 30mins this will always causes a modem to dial up,
> > these DNS requests MS hosts send go to the DNS server port 53 UDP just like
> > a normal DNS request would but one difference about them is that they come
> > from source port 137-139, normal DNS traffic would have a source port
> > roughly of 1080+ so it makes it easy to block those by putting this in
> > /etc/ppp/ppp.conf
> > 
> > 
> > set filter dial 2 deny udp src eq 137 # NetBIOS name service
> > set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
> > set filter dial 4 deny udp src eq 139 # NetBIOS session service
> > set filter dial 5 deny udp dst eq 137 # NetBIOS name service
> > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
> > set filter dial 7 deny udp dst eq 139 # NetBIOS session service
> > 
> > 
> > ----- Original Message -----
> > From: "Eduardo Huertas" <eduhuertas@usa.net>
> > To: "pstapley" <pstapley@rapidnet.com>
> > Sent: Thursday, September 21, 2000 4:02 PM
> > Subject: Re: ppp -auto -nat myisp
> > 
> 
> 
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 

Best Regards
Willem Brown
-- 
 /* =============================================================== */
 /*      Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours.      */
 /* =============================================================== */

Another dream that failed.  There's nothing sadder.
		-- Kirk, "This side of Paradise", stardate 3417.3


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922190543.R50534>