netbios-ns packets

netbios-ns packets

Post by Mike Schopp » Sun, 26 Mar 2000 04:00:00



I have been noticing quite a few netbios-ns packets being rejected by
my firewall. Some of which are originating from private class A
addresses. See the log entry below.

Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

I also receive netbios-ns packets from legitimate addresses as well.

I am very curious as to why I am seeing them at all. I have long held
the opinion that netbios-ns should be restricted to an isolated network
and not proliferated to the internet. Is that a generally accepted
practice or just my idealism showing?

With regard to the private class A addresses, I was under the impression
that they were intended for use on a private network whose internet
bound traffic would be masqueraded by either a proxy or a firewall.

Can anyone give me a quick education on this or point me to a practical
explanation?

TIA,
Mike Schoppe

 
 
 

netbios-ns packets

Post by Tom East » Sun, 26 Mar 2000 04:00:00



>I have been noticing quite a few netbios-ns packets being rejected by
>my firewall. Some of which are originating from private class A
>addresses. See the log entry below.

>Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
>10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

>I also receive netbios-ns packets from legitimate addresses as well.

>I am very curious as to why I am seeing them at all. I have long held
>the opinion that netbios-ns should be restricted to an isolated network
>and not proliferated to the internet. Is that a generally accepted
>practice or just my idealism showing?

If you have M$ boxes on a network, you are going to see these packets. My
firewall (seawall.sourceforge.net) simply DENYs them without logging them.
I also drop them from the forwarding chain so my firewall doesn't pass
them from my internal network out to my DSL subnet.

Quote:>With regard to the private class A addresses, I was under the impression
>that they were intended for use on a private network whose internet
>bound traffic would be masqueraded by either a proxy or a firewall.

>Can anyone give me a quick education on this or point me to a practical
>explanation?

People routinely do dumb things. In this case, someone on your subnetwork
probably has a gateway system with two NICs and only one hub/switch.
Rather than using a crossover cable to connect the external NIC to the
cable/DSL modem, the person has both interfaces, all local systems AND the
cable/DSL modem connected to the one hub or switch.

Alternatively, the person may have only one NIC in their gateway and has
it configured with both an internall 10.0.0.0/8 address and their external
address; again, all systems plus the cable/DSL modem are connected to a
single hub/switch.

In either case, all of their local traffic is available on your cable/DSL
subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
broadcast traffic and any unicast traffic addressed to a MAC that it has
learned (by traffic monitoring) belongs to a device connected to it.

-Tom
--
Tom Eastep             \  Eastep's First Principle of Computing:
ICQ #60745924           \  "Any sane computer will tell you how it

Shoreline, Washington USA \___________________________________________

 
 
 

netbios-ns packets

Post by Mike Schopp » Sun, 26 Mar 2000 04:00:00


Thanks for the response. Notice however, the class A addresses are on
the input chain to my ppp0 interface. These guys are roaming the
internet. I am personally using one of the 192.168 class C subnets for
my internal private network. I am rejecting these packets at the ppp0
interface without exception.

Mike Schoppe



> >I have been noticing quite a few netbios-ns packets being rejected by
> >my firewall. Some of which are originating from private class A
> >addresses. See the log entry below.

> >Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
> >10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

> >I also receive netbios-ns packets from legitimate addresses as well.

> >I am very curious as to why I am seeing them at all. I have long held
> >the opinion that netbios-ns should be restricted to an isolated network
> >and not proliferated to the internet. Is that a generally accepted
> >practice or just my idealism showing?

> If you have M$ boxes on a network, you are going to see these packets. My
> firewall (seawall.sourceforge.net) simply DENYs them without logging them.
> I also drop them from the forwarding chain so my firewall doesn't pass
> them from my internal network out to my DSL subnet.

> >With regard to the private class A addresses, I was under the impression
> >that they were intended for use on a private network whose internet
> >bound traffic would be masqueraded by either a proxy or a firewall.

> >Can anyone give me a quick education on this or point me to a practical
> >explanation?

> People routinely do dumb things. In this case, someone on your subnetwork
> probably has a gateway system with two NICs and only one hub/switch.
> Rather than using a crossover cable to connect the external NIC to the
> cable/DSL modem, the person has both interfaces, all local systems AND the
> cable/DSL modem connected to the one hub or switch.

> Alternatively, the person may have only one NIC in their gateway and has
> it configured with both an internall 10.0.0.0/8 address and their external
> address; again, all systems plus the cable/DSL modem are connected to a
> single hub/switch.

> In either case, all of their local traffic is available on your cable/DSL
> subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
> broadcast traffic and any unicast traffic addressed to a MAC that it has
> learned (by traffic monitoring) belongs to a device connected to it.

> -Tom
> --
> Tom Eastep             \  Eastep's First Principle of Computing:
> ICQ #60745924           \  "Any sane computer will tell you how it

> Shoreline, Washington USA \___________________________________________

 
 
 

netbios-ns packets

Post by Tom East » Sun, 26 Mar 2000 04:00:00



>Thanks for the response. Notice however, the class A addresses are on
>the input chain to my ppp0 interface. These guys are roaming the
>internet. I am personally using one of the 192.168 class C subnets for
>my internal private network. I am rejecting these packets at the ppp0
>interface without exception.

No -- it means they are roaming the ppp server that you are talking to.

-Tom

--
Tom Eastep             \  Eastep's First Principle of Computing:
ICQ #60745924           \  "Any sane computer will tell you how it

Shoreline, Washington USA \___________________________________________

 
 
 

netbios-ns packets

Post by Andy Guiber » Sun, 26 Mar 2000 04:00:00


Mike,

You are rightfully doing so. I too am a strong believer in keeping the netbios &
smb protocols on LANs, where they belong.

Andy


> Thanks for the response. Notice however, the class A addresses are on
> the input chain to my ppp0 interface. These guys are roaming the
> internet. I am personally using one of the 192.168 class C subnets for
> my internal private network. I am rejecting these packets at the ppp0
> interface without exception.

> Mike Schoppe



> > >I have been noticing quite a few netbios-ns packets being rejected by
> > >my firewall. Some of which are originating from private class A
> > >addresses. See the log entry below.

> > >Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
> > >10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

> > >I also receive netbios-ns packets from legitimate addresses as well.

> > >I am very curious as to why I am seeing them at all. I have long held
> > >the opinion that netbios-ns should be restricted to an isolated network
> > >and not proliferated to the internet. Is that a generally accepted
> > >practice or just my idealism showing?

> > If you have M$ boxes on a network, you are going to see these packets. My
> > firewall (seawall.sourceforge.net) simply DENYs them without logging them.
> > I also drop them from the forwarding chain so my firewall doesn't pass
> > them from my internal network out to my DSL subnet.

> > >With regard to the private class A addresses, I was under the impression
> > >that they were intended for use on a private network whose internet
> > >bound traffic would be masqueraded by either a proxy or a firewall.

> > >Can anyone give me a quick education on this or point me to a practical
> > >explanation?

> > People routinely do dumb things. In this case, someone on your subnetwork
> > probably has a gateway system with two NICs and only one hub/switch.
> > Rather than using a crossover cable to connect the external NIC to the
> > cable/DSL modem, the person has both interfaces, all local systems AND the
> > cable/DSL modem connected to the one hub or switch.

> > Alternatively, the person may have only one NIC in their gateway and has
> > it configured with both an internall 10.0.0.0/8 address and their external
> > address; again, all systems plus the cable/DSL modem are connected to a
> > single hub/switch.

> > In either case, all of their local traffic is available on your cable/DSL
> > subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
> > broadcast traffic and any unicast traffic addressed to a MAC that it has
> > learned (by traffic monitoring) belongs to a device connected to it.

> > -Tom
> > --
> > Tom Eastep             \  Eastep's First Principle of Computing:
> > ICQ #60745924           \  "Any sane computer will tell you how it

> > Shoreline, Washington USA \___________________________________________

--
Andy Guibert - Linux/Unix Systems Administrator
"May the source be with you, Luke."
-------------------------------------------------
Remove the "nojunk" from my addy when responding.
 
 
 

1. Netbios-ns Packets...Machine Can't Pass Data Through Firewall

I have a Window Millennium machine on my internal network that can't connect
through my ipchains firewall.  It has an IP of 192.168.0.5, it uses
192.168.0.1 as the gateway.  On the firewall box, eth1's IP is 192.168.0.1.
They both use 255.255.255.0 as the subnet.  The only protocol on the WinMe
machine that is currently installed is tcp/ip.

I can ping from 192.168.0.5 to 192.168.0.1 without any problems.  But, if I
try to open something like internet explorer, tcpdump starts showing
messages like the one below.

21:30:26.331527 eth1 B 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns:NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST

Being a novice, can anyone help me decipher what it means and possibly a
solution.

Thanks very much,

Alan

2. fasttrack66 ide raid card

3. netbios-ns - Firewall hole?

4. ctrl-alt-bckspace

5. netbios-ns/udp server failing (Samba)??

6. .bash_login doesn't work!

7. Failures in nmbd and netbios-ns/udp

8. truss for AIX and IRIX

9. samba, netbios-ns problem

10. Failures in nmbd and netbios-ns/udp

11. inetd[291]: netbios-ns/udp: bind: Address already in use

12. netbios-ns connect attempt?

13. SAMBA: netbios-ns errors