Date: 22 Sep 00 13:23:45 CST From: Eduardo Huertas <eduhuertas@usa.net> To: Willem Brown <willem@brwn.org> Cc: pstapley <pstapley@rapidnet.com>, freebsd-questions@FreeBSD.org Subject: Re: ppp -auto -nat myisp Message-ID: <20000922192345.8262.qmail@nw175.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi again,
And didn't work again!
These are the rules...
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
=
# Blocking from nmbd process
set filter alive 3 deny udp src eq 137
set filter alive 4 deny udp src eq 138
set filter alive 5 deny udp src eq 139
set filter alive 6 permit 0 0
#
#
# And we don't want ICMPs to cause a dialup:
set filter dial 0 deny icmp
set filter dial 1 permit 0 0
# or any TCP SYN or RST packets (badly closed TCP channels):
set filter dial 2 deny 0 0 tcp syn finrst
# DNS lookups
set filter dial 3 deny udp src eq 53
set filter dial 4 deny udp dst eq 53
set filter dial 5 permit 0/0 0/0
# DNS lookups from Windows machines
set filter dial 6 deny udp src eq 137 # NetBIOS name service =
set filter dial 7 deny udp src eq 138 # NetBIOS datagram service =
set filter dial 8 deny udp src eq 139 # NetBIOS session service =
set filter dial 9 deny udp dst eq 137 # NetBIOS name service =
set filter dial 10 deny udp dst eq 138 # NetBIOS datagram service =
set filter dial 11 deny udp dst eq 139 # NetBIOS session service =
And this is the log:
Sep 22 13:16:02 BSDincep ppp[1658]: tun0: Phase: PPP Started (auto mode).=
Sep 22 13:16:05 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 192.168.1.100:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:16:15 BSDincep last message repeated 13 times
Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 192.168.1.100:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:16:24 BSDincep last message repeated 6 times
Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:16:24 BSDincep ppp[1658]: tun0: TCP/IP: IN UDP: 205.161.189.1:1=
37
---> 205.161.189.1:137 - NO KEEPA
LIVE
Sep 22 13:17:24 BSDincep ppp[1658]: tun0: TCP/IP: DIAL UDP: 205.161.189.1=
:137
---> 205.161.189.255:137 - NO K
EEPALIVE
Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: bundle: Establish
Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: deflink: closed -> openi=
ng
Sep 22 13:17:24 BSDincep ppp[1658]: tun0: TCP/IP: OUT UDP: 205.161.189.1:=
137
---> 205.161.189.255:137 - NO KE
EPALIVE
Sep 22 13:17:24 BSDincep ppp[1658]: tun0: Phase: deflink: Connected!
I really appreciate your help!
Willem Brown <willem@brwn.org> wrote:
> Hi,
> =
> On Fri, Sep 22, 2000 at 11:43:14AM -0600, Eduardo Huertas wrote:
> > Hi,
> > Thank you for your suggestion, but still doesn't work :(
> > =
> > Now I have this rules:
> > =
> > # If we don't want ICMP and DNS packets to keep the connection alive:=
> > #
> > set filter alive 0 deny icmp
> > set filter alive 1 deny udp src eq 53
> > set filter alive 2 deny udp dst eq 53
> > set filter alive 3 permit 0 0
> > =
> > # Blocking from nmbd process
> > set filter alive 4 deny udp src eq 137
> > set filter alive 5 deny udp src eq 138
> > set filter alive 6 deny udp src eq 139
> =
> These rules should be inserted before the "set filter alive 3 permit" r=
ule.
> =
> > #
> > #
> > # And we don't want ICMPs to cause a dialup:
> > set filter dial 0 deny icmp
> > set filter dial 1 permit 0 0
> > =
> > # or any TCP SYN or RST packets (badly closed TCP channels):
> > set filter dial 2 deny 0 0 tcp syn finrst
> > # DNS lookups
> > set filter dial 3 deny udp src eq 53
> > set filter dial 4 deny udp dst eq 53
> > set filter dial 5 permit 0/0 0/0
> > =
> > # DNS lookups from Windows machines
> > set filter dial 6 deny udp src eq 137 # NetBIOS name service =
> > set filter dial 7 deny udp src eq 138 # NetBIOS datagram service=
=
> > set filter dial 8 deny udp src eq 139 # NetBIOS session service =
> > set filter dial 9 deny udp dst eq 137 # NetBIOS name service =
> > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram servic=
e =
> > set filter dial 11 deny udp dst eq 139 # NetBIOS session service=
=
> > =
> > -edu-
> > =
> > Willem Brown <willem@brwn.org> wrote:
> > > Hi,
> > > =
> > > On Fri, Sep 22, 2000 at 07:05:43PM +0200, Willem Brown wrote:
> > > > Hi,
> > > > =
> > > > Those packets are send by the nmbd process, netbios name server, =
and
> > > > it is part of the samba server. To block them, add rules for
> > > > port 137,138 and 139 just like the ones you have to stop dns chat=
ter
> > > > (port 54) from bringing the line up. BTW.
> > > --------^^
> > > This should be 53, sorry.
> > > =
> > > > =
> > > > set filter alive 3 deny udp src eq 137
> > > > .
> > > > .
> > > > .
> > > > =
> > > > =
> > > > On Fri, Sep 22, 2000 at 09:07:34AM -0600, Eduardo Huertas wrote:
> > > > > Hi Pete
> > > > > =
> > > > > I wrote those filters but didn't work out. Bellow is the defau=
lt
> > section of
> > > > > ppp.conf:
> > > > > =
> > > > > default:
> > > > > set log Phase Chat LCP IPCP CCP tun command
> > > > > set log +tcp/ip
> > > > > set device /dev/cuaa0
> > > > > set speed 115200
> > > > > disable lqr
> > > > > deny lqr
> > > > > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
> > > > > OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
> > > > > set timeout 300
> > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
> > > > > add default HISADDR
> > > > > set reconnect 3 20
> > > > > allow users eduardo
> > > > > set server +3000 diagnostico
> > > > > #
> > > > > # If we don't want ICMP and DNS packets to keep the connection
alive:
> > > > > #
> > > > > set filter alive 0 deny icmp
> > > > > set filter alive 1 deny udp src eq 53
> > > > > set filter alive 2 deny udp dst eq 53
> > > > > set filter alive 3 permit 0 0
> > > > > #
> > > > > #
> > > > > # And we don't want ICMPs to cause a dialup:
> > > > > set filter dial 0 deny icmp
> > > > > set filter dial 1 permit 0 0
> > > > > =
> > > > > # or any TCP SYN or RST packets (badly closed TCP channels):
> > > > > set filter dial 2 deny 0 0 tcp syn finrst
> > > > > # DNS lookups
> > > > > set filter dial 3 deny udp src eq 53
> > > > > set filter dial 4 deny udp dst eq 53
> > > > > set filter dial 5 permit 0/0 0/0
> > > > > =
> > > > > # DNS lookups from Windows machines
> > > > > set filter dial 6 deny udp src eq 137 # NetBIOS name servi=
ce =
> > > > > set filter dial 7 deny udp src eq 138 # NetBIOS datagram
service =
> > > > > set filter dial 8 deny udp src eq 139 # NetBIOS session se=
rvice
> > > > > set filter dial 9 deny udp dst eq 137 # NetBIOS name servi=
ce =
> > > > > set filter dial 10 deny udp dst eq 138 # NetBIOS datagram
service =
> > > > > set filter dial 11 deny udp dst eq 139 # NetBIOS session
service =
> > > > > =
> > > > > And here is the log of the unexpectedly dialing:
> > > > > =
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > alive 0
> > > > > deny icmp
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > alive 1
> > > > > deny udp src eq 53
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > alive 2
> > > > > deny udp dst eq 53
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > alive 3
> > > > > permit 0 0
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 0
> > > > > deny icmp
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 1
> > > > > permit 0 0
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 2
> > > > > deny 0 0 tcp syn finrst
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 3
> > > > > deny udp src eq 53
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 4
> > > > > deny udp dst eq 53
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 5
> > > > > permit 0/0 0/0
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 6
> > > > > deny udp src eq 137
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 7
> > > > > deny udp src eq 138
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 8
> > > > > deny udp src eq 139
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 9
> > > > > deny udp dst eq 137
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 10
> > > > > deny udp dst eq 138
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: default: set=
filter
> > dial 11
> > > > > deny udp dst eq 139
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set re=
dial
10
> > 4
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set ph=
one
> > 03854998
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set
authname
> > incep
> > > > > Sep 22 08:21:45 BSDincep ppp[1261]: tun0: Command: quik: set
authkey
> > ********
> > > > > Sep 22 08:21:45 BSDincep ppp[1262]: tun0: Phase: PPP Started (a=
uto
> > mode).
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: DIAL UDP:
> > 205.161.189.1:137
> > > > > ---> 205.161.189.255:137
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: bundle: Establ=
ish
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: close=
d ->
> > opening
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: TCP/IP: OUT UDP:
> > 205.161.189.1:137
> > > > > ---> 205.161.189.255:137
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink:
Connected!
> > > > > Sep 22 08:22:16 BSDincep ppp[1262]: tun0: Phase: deflink: openi=
ng
->
> > dial =
> > > > > =
> > > > > What I see is that the packet that triggers the dialing has ip
addresses
> > that
> > > > > are used for negotiating between the local and the remote syste=
m:
> > > > > =
> > > > > set ifaddr 205.161.189.1/0 205.161.189.2/0 255.255.255.0
> > > > > =
> > > > > And that these packets appear almost inmediately I run ppp -aut=
o
-nat
> > myisp.
> > > > > =
> > > > > Again my question is:
> > > > > =
> > > > > Who is sending this packet and how can I dfilter it? or is ther=
e
another
> > way?
> > > > > =
> > > > > =
> > > > > =
> > > > > "pstapley" <pstapley@rapidnet.com> wrote:
> > > > > > They are different, I will try to get to the site again. Here=
it
is,
> > hope
> > > > > it
> > > > > > helps.
> > > > > > =
> > > > > > http://www.defcon1.org/html/ppp-tips.html
> > > > > > =
> > > > > > One problem that can exist with demand dialing was that Micro=
soft
> > hosts
> > > > > > sometimes do a broadcast then a DNS lookup for servers which
don't
> > exist by
> > > > > > themselves about every 30mins this will always causes a modem=
to
dial
> > up,
> > > > > > these DNS requests MS hosts send go to the DNS server port 53=
UDP
just
> > like
> > > > > > a normal DNS request would but one difference about them is t=
hat
they
> > come
> > > > > > from source port 137-139, normal DNS traffic would have a sou=
rce
port
> > > > > > roughly of 1080+ so it makes it easy to block those by puttin=
g
this
> > in
> > > > > > /etc/ppp/ppp.conf
> > > > > > =
> > > > > > =
> > > > > > set filter dial 2 deny udp src eq 137 # NetBIOS name service
> > > > > > set filter dial 3 deny udp src eq 138 # NetBIOS datagram serv=
ice
> > > > > > set filter dial 4 deny udp src eq 139 # NetBIOS session servi=
ce
> > > > > > set filter dial 5 deny udp dst eq 137 # NetBIOS name service
> > > > > > set filter dial 6 deny udp dst eq 138 # NetBIOS datagram serv=
ice
> > > > > > set filter dial 7 deny udp dst eq 139 # NetBIOS session servi=
ce
> > > > > > =
> > > > > > =
> > > > > > ----- Original Message -----
> > > > > > From: "Eduardo Huertas" <eduhuertas@usa.net>
> > > > > > To: "pstapley" <pstapley@rapidnet.com>
> > > > > > Sent: Thursday, September 21, 2000 4:02 PM
> > > > > > Subject: Re: ppp -auto -nat myisp
> > > > > > =
> > > > > =
> > > > > =
> > > > >
____________________________________________________________________
> > > > > Get free email and a permanent address at
> > http://www.netaddress.com/?N=3D1
> > > > > =
> > > > > =
> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > > with "unsubscribe freebsd-questions" in the body of the message=
> > > > > =
> > > > =
> > > > Best Regards
> > > > Willem Brown
> > > > -- =
> > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*/
> > > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. =
=
*/
> > > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*/
> > > > =
> > > > Another dream that failed. There's nothing sadder.
> > > > -- Kirk, "This side of Paradise", stardate 3417.3
> > > > =
> > > > =
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-questions" in the body of the message
> > > > =
> > > =
> > > Best Regards
> > > Willem Brown
> > > -- =
> > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */
> > > /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. =
*/
> > > /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */
> > > =
> > > Power is danger.
> > > -- The Centurion, "Balance of Terror", stardate 1709.2
> > > =
> > > =
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-questions" in the body of the message
> > =
> > =
> > ____________________________________________________________________
> > Get free email and a permanent address at http://www.netaddress.com/?=
N=3D1
> =
> Best Regards
> Willem Brown
> -- =
> /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */
> /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. */
> /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */
> =
> Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
> Civilization?
> Gandhi: I think it would be a good idea.
> =
> =
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=3D=
1
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922192345.8262.qmail>