[32342] in North American Network Operators' Group
RE: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Roeland Meyer)
Sun Nov 19 15:41:06 2000
Message-ID: <47FE39302BF73B4C93BC84B87341282C1F09@condor.lvrmr.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: 'Ethan Butterfield' <primus@veris.org>,
Jim Mercer <jim@reptiles.org>
Cc: nanog@nanog.org
Date: Sun, 19 Nov 2000 12:39:58 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
> From: Ethan Butterfield [mailto:primus@veris.org]
> Sent: Sunday, November 19, 2000 11:45 AM
> To: Jim Mercer
> Cc: nanog@nanog.org
> Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
> > From: Jim Mercer <jim@reptiles.org>
> > Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
> >
> > as i understand it, ipsec doesn't use ports.
> >
>
> Yes and no. IPSec uses UDP port 500 for the ISAKMP key
> exchange and the
> tunnel setup, but all other traffic is IP Protocol 50 (ESP)
> or 51 (AH).
> Most firewalls I've seen block wierd (i.e., just about
> everything that's
> not standard TCP or IP Protocol 1 (ICMP)) by default, or at
> least flag it
> as strange.
In shops that block SSH, this is also what they do and is exactly what I
meant. I apologize for not communicating clearly and typing poorly (too many
decades writing code).
> It should not be hard to set up a persistent IPSec tunnel between UNIX
> hosts in order to pass SMB/NETBIOS traffic. You could even do it
> router-to-router in gateway mode and have the traffic be
> cleartext on the
> internal side of both networks, and 3DES/SHA-1 to the rest of
> the world.
When possible, I do this. The whole point of this is that transit providers
should not be filtering unless specifically requested.
> For the Road Warrior, though, it's going to be somewhat more difficult
> without using a VPN, as the Win32 implementations of IPSec are
> somewhat...lacking. (Or at least they were six months ago when I last
> tried the SSH IPsec shim for NT4.) Win2K's built-in IPSec
> makes life much
> easier...if you've got clients using Win2K. Can't vouch for
> interoperability between Win2K-UNIX, though. Never tried it myself.
I did, just as soon as it came out. It sux! Active directory also does a
number on the DOMAIN stuff in Samba. Fortunately, it allows backwards
compatibility to old-style WinNT4SP5 hosts. In fact, and I am sure that MS
did it to mess with the Samba folks, the entire DOMAIN stuff has been
re-spec'd and re-written.
---
I can't afford to have a preference, I must be agnostic.
