[32339] in North American Network Operators' Group
Re: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Ethan Butterfield)
Sun Nov 19 14:49:25 2000
Date: Sun, 19 Nov 2000 11:44:47 -0800
From: Ethan Butterfield <primus@veris.org>
To: Jim Mercer <jim@reptiles.org>
Cc: nanog@nanog.org
Message-ID: <20001119114447.D8847@veris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20001119112606.A11851@satanic.org>; from primus@satanic.org on Sun, Nov 19, 2000 at 11:26:06AM -0800
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> From: Jim Mercer <jim@reptiles.org>
> Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
>
> as i understand it, ipsec doesn't use ports.
>
Yes and no. IPSec uses UDP port 500 for the ISAKMP key exchange and the
tunnel setup, but all other traffic is IP Protocol 50 (ESP) or 51 (AH).
Most firewalls I've seen block wierd (i.e., just about everything that's
not standard TCP or IP Protocol 1 (ICMP)) by default, or at least flag it
as strange.
It should not be hard to set up a persistent IPSec tunnel between UNIX
hosts in order to pass SMB/NETBIOS traffic. You could even do it
router-to-router in gateway mode and have the traffic be cleartext on the
internal side of both networks, and 3DES/SHA-1 to the rest of the world.
For the Road Warrior, though, it's going to be somewhat more difficult
without using a VPN, as the Win32 implementations of IPSec are
somewhat...lacking. (Or at least they were six months ago when I last
tried the SSH IPsec shim for NT4.) Win2K's built-in IPSec makes life much
easier...if you've got clients using Win2K. Can't vouch for
interoperability between Win2K-UNIX, though. Never tried it myself.
- --
"By four o'clock, I've discounted suicide in favor of killing
everyone else in the entire world instead."
- Spider Jerusalem, "Transmetropolitan"
-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org
iD8DBQE6GC2u36NTGsm+2Z4RArBVAJwPWUyTX9fzVctkx+RkVzPtdonzUgCeNaVY
s/0K1mD1Vvd/xM+/4kyHzzk=
=UwTF
-----END PGP SIGNATURE-----
