RE: NetBIOS? problem

To: "Debian-Firewall@Lists. Debian. Org" <Debian-Firewall@Lists.Debian.Org>
Subject: RE: NetBIOS? problem
From: "Antropov Anton" <dicobraz@mail.ru>
Date: Tue, 6 Nov 2001 09:49:49 +0500
Message-id: <[🔎] FKEELIAOLNNOBFHCOKFDKEPLCBAA.dicobraz@mail.ru>
In-reply-to: <[🔎] 20011105211506.A8083@simon.stmarytx.edu>

My problem is very simple.
All machines are in one network.
Firewall is only for Internet connection (ISDN modem).
All authentification works fine.
But one special program can't get write-access to the specified file.
It is nonsense for me!
Two slightly different iptables setups work in a completely different
manner - the first is not secure, but it works.
The second is more secure (at least I hope so :)), but the program says
"can't write to file!". How can it influence file operations???

I am rather new to all this stuff.

> -----Original Message-----
> From: J. Currey [mailto:jcurrey@simon.stmarytx.edu]
> Subject: Re: NetBIOS? problem
>
> I use NAT with a number of SMB machines successfully.
> I was not able to get all services behind the firewall.
> There must be a WINS service that provides the munged addresses.
> If you want it to respond to broadcasts (proxy) then it should be
> on the same network.
> You will probably want a WINS server inside too to provide real
> addresses to
> the NAT'd network.
> On one network (where I control the DHCP) I set the windows boxes to
> only use WINS, and assigned a WINS service, otherwise you'll need to
> manually set a WINS server on the box.
> The domain authentication ended up being separate from the WINS
> service (this was because of some domains authentication being NT and
> some being Linux), even the NT domains use SAMBA WINS service.
> I found I could not use Microsoft's WINS services because
> of its promiscuous nature, use the SAMBA NG 2.2+ stuff instead,
> it is stable
> and doesn't overwrite static settings on whim of the owner of the name.
> Announces from inside the NAT'd net to the outside WINS service can still
> screw it up, so don't do that.
> One of the problems with authentication is it always uses a broadcast,
> which I never successfully NAT'd to the inside, and even then the
> perspective
> inside was wrong, so the embedded addresses didn't make sense to the asker
> (as Joerg Wendland noted).
>
> A piece of /var/state/samba/wins.dat outside the NAT.
> (a bare bones samba only box)
>
> "^A^B__MSBROWSE__^B#01" 1005304692 255.255.255.255 84R
> "SMBDOMAIN#00" 0 255.255.255.255 c4R
> "SMBDOMAIN#1b" 0 10.3.0.88 44R
> "SMBDOMAIN#1c" 0 10.3.0.89 e4R
> "SMBDOMAIN#1e" 0 255.255.255.255 c4R
>
> You can also do
> "SMBDOMAIN#00" 0 10.3.0.88 255.255.255.255 c4R
>
> 10.3.0.88 is the public wins server giving NAT'd addresses.
>
> 1c is the domain authentication
> 10.3.0.89 is a sacrificial (bare bones) backup domain server (NT)
> to the domain
> server on the NAT'd network, they keep synchronized fine, as long as they
> use their local wins servers to locate each other.
>
> If you have a choice, I'd use the samba domain authentication instead.
>
> I really need to write more of this down.  I'd be glad to help with
> with writing the code for IP-tables modules to fix some of these kludges,
> although I don't think it can overcome all the issues.
>
> 	J. Currey

Reply to:

References:
- Re: NetBIOS? problem
  - From: "J. Currey" <jcurrey@simon.stmarytx.edu>

Prev by Date: Re: NetBIOS? problem
Next by Date: high ports filtered?
Previous by thread: Re: NetBIOS? problem
Next by thread: iproute tc with ingres qdisc
Index(es):
- Date
- Thread