Very Computer

by **Mike Schopp** » Sun, 26 Mar 2000 04:00:00

I have been noticing quite a few netbios-ns packets being rejected by
my firewall. Some of which are originating from private class A
addresses. See the log entry below.

Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

I also receive netbios-ns packets from legitimate addresses as well.

I am very curious as to why I am seeing them at all. I have long held
the opinion that netbios-ns should be restricted to an isolated network
and not proliferated to the internet. Is that a generally accepted
practice or just my idealism showing?

With regard to the private class A addresses, I was under the impression
that they were intended for use on a private network whose internet
bound traffic would be masqueraded by either a proxy or a firewall.

Can anyone give me a quick education on this or point me to a practical
explanation?

TIA,
Mike Schoppe

by **Tom East** » Sun, 26 Mar 2000 04:00:00

>I have been noticing quite a few netbios-ns packets being rejected by
>my firewall. Some of which are originating from private class A
>addresses. See the log entry below.

>Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
>10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

>I also receive netbios-ns packets from legitimate addresses as well.

>I am very curious as to why I am seeing them at all. I have long held
>the opinion that netbios-ns should be restricted to an isolated network
>and not proliferated to the internet. Is that a generally accepted
>practice or just my idealism showing?

If you have M$ boxes on a network, you are going to see these packets. My
firewall (seawall.sourceforge.net) simply DENYs them without logging them.
I also drop them from the forwarding chain so my firewall doesn't pass
them from my internal network out to my DSL subnet.

Quote:>With regard to the private class A addresses, I was under the impression
>that they were intended for use on a private network whose internet
>bound traffic would be masqueraded by either a proxy or a firewall.

>Can anyone give me a quick education on this or point me to a practical
>explanation?

People routinely do dumb things. In this case, someone on your subnetwork
probably has a gateway system with two NICs and only one hub/switch.
Rather than using a crossover cable to connect the external NIC to the
cable/DSL modem, the person has both interfaces, all local systems AND the
cable/DSL modem connected to the one hub or switch.

Alternatively, the person may have only one NIC in their gateway and has
it configured with both an internall 10.0.0.0/8 address and their external
address; again, all systems plus the cable/DSL modem are connected to a
single hub/switch.

In either case, all of their local traffic is available on your cable/DSL
subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
broadcast traffic and any unicast traffic addressed to a MAC that it has
learned (by traffic monitoring) belongs to a device connected to it.

-Tom
--
Tom Eastep \ Eastep's First Principle of Computing:
ICQ #60745924 \ "Any sane computer will tell you how it

Shoreline, Washington USA \___________________________________________

by **Mike Schopp** » Sun, 26 Mar 2000 04:00:00

Thanks for the response. Notice however, the class A addresses are on
the input chain to my ppp0 interface. These guys are roaming the
internet. I am personally using one of the 192.168 class C subnets for
my internal private network. I am rejecting these packets at the ppp0
interface without exception.

Mike Schoppe

> >I have been noticing quite a few netbios-ns packets being rejected by
> >my firewall. Some of which are originating from private class A
> >addresses. See the log entry below.

> >Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
> >10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

> >I also receive netbios-ns packets from legitimate addresses as well.

> >I am very curious as to why I am seeing them at all. I have long held
> >the opinion that netbios-ns should be restricted to an isolated network
> >and not proliferated to the internet. Is that a generally accepted
> >practice or just my idealism showing?

> If you have M$ boxes on a network, you are going to see these packets. My
> firewall (seawall.sourceforge.net) simply DENYs them without logging them.
> I also drop them from the forwarding chain so my firewall doesn't pass
> them from my internal network out to my DSL subnet.

> >With regard to the private class A addresses, I was under the impression
> >that they were intended for use on a private network whose internet
> >bound traffic would be masqueraded by either a proxy or a firewall.

> >Can anyone give me a quick education on this or point me to a practical
> >explanation?

> People routinely do dumb things. In this case, someone on your subnetwork
> probably has a gateway system with two NICs and only one hub/switch.
> Rather than using a crossover cable to connect the external NIC to the
> cable/DSL modem, the person has both interfaces, all local systems AND the
> cable/DSL modem connected to the one hub or switch.

> Alternatively, the person may have only one NIC in their gateway and has
> it configured with both an internall 10.0.0.0/8 address and their external
> address; again, all systems plus the cable/DSL modem are connected to a
> single hub/switch.

> In either case, all of their local traffic is available on your cable/DSL
> subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
> broadcast traffic and any unicast traffic addressed to a MAC that it has
> learned (by traffic monitoring) belongs to a device connected to it.

> -Tom
> --
> Tom Eastep \ Eastep's First Principle of Computing:
> ICQ #60745924 \ "Any sane computer will tell you how it

> Shoreline, Washington USA \___________________________________________

by **Tom East** » Sun, 26 Mar 2000 04:00:00

>Thanks for the response. Notice however, the class A addresses are on
>the input chain to my ppp0 interface. These guys are roaming the
>internet. I am personally using one of the 192.168 class C subnets for
>my internal private network. I am rejecting these packets at the ppp0
>interface without exception.

No -- it means they are roaming the ppp server that you are talking to.

-Tom

--
Tom Eastep \ Eastep's First Principle of Computing:
ICQ #60745924 \ "Any sane computer will tell you how it

Shoreline, Washington USA \___________________________________________

by **Andy Guiber** » Sun, 26 Mar 2000 04:00:00

Mike,

You are rightfully doing so. I too am a strong believer in keeping the netbios &
smb protocols on LANs, where they belong.

Andy

> Thanks for the response. Notice however, the class A addresses are on
> the input chain to my ppp0 interface. These guys are roaming the
> internet. I am personally using one of the 192.168 class C subnets for
> my internal private network. I am rejecting these packets at the ppp0
> interface without exception.

> Mike Schoppe

> > >I have been noticing quite a few netbios-ns packets being rejected by
> > >my firewall. Some of which are originating from private class A
> > >addresses. See the log entry below.

> > >Mar 24 17:41:33 ns1 kernel: Packet log: input REJECT ppp0 PROTO=17
> > >10.12.12.98:137 63.224.240.70:137 L=78 S=0x00 I=410 F=0x0000 T=110 (#35)

> > >I also receive netbios-ns packets from legitimate addresses as well.

> > >I am very curious as to why I am seeing them at all. I have long held
> > >the opinion that netbios-ns should be restricted to an isolated network
> > >and not proliferated to the internet. Is that a generally accepted
> > >practice or just my idealism showing?

> > If you have M$ boxes on a network, you are going to see these packets. My
> > firewall (seawall.sourceforge.net) simply DENYs them without logging them.
> > I also drop them from the forwarding chain so my firewall doesn't pass
> > them from my internal network out to my DSL subnet.

> > >With regard to the private class A addresses, I was under the impression
> > >that they were intended for use on a private network whose internet
> > >bound traffic would be masqueraded by either a proxy or a firewall.

> > >Can anyone give me a quick education on this or point me to a practical
> > >explanation?

> > People routinely do dumb things. In this case, someone on your subnetwork
> > probably has a gateway system with two NICs and only one hub/switch.
> > Rather than using a crossover cable to connect the external NIC to the
> > cable/DSL modem, the person has both interfaces, all local systems AND the
> > cable/DSL modem connected to the one hub or switch.

> > Alternatively, the person may have only one NIC in their gateway and has
> > it configured with both an internall 10.0.0.0/8 address and their external
> > address; again, all systems plus the cable/DSL modem are connected to a
> > single hub/switch.

> > In either case, all of their local traffic is available on your cable/DSL
> > subnetwork. Your cable/DSL modem acts like a bridge so it will pass all
> > broadcast traffic and any unicast traffic addressed to a MAC that it has
> > learned (by traffic monitoring) belongs to a device connected to it.

> > -Tom
> > --
> > Tom Eastep \ Eastep's First Principle of Computing:
> > ICQ #60745924 \ "Any sane computer will tell you how it

> > Shoreline, Washington USA \___________________________________________

--
Andy Guibert - Linux/Unix Systems Administrator
"May the source be with you, Luke."
-------------------------------------------------
Remove the "nojunk" from my addy when responding.