IP tunnels and netbios (was: Re: [H-GEN] TPG ADSL)

[Tony Nugent]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Tue May 14 2002 at 14:29, Paul Gearon wrote:

> You have always been able to run services on Bigpond Broadband, even
> though you may not have been permitted to.  I can guarantee this from
> personal experience.

After 12 months of experience with a telstra adsl (512/128) connection,
hosting any sort of services on an adsl connection is a REAL pain.

With cable (which Paul appears to be referring to), you are issued
with an IP address on a dhcpd lease - so it is possible to keep the
same IP address for long periods if you don't "drop offline" for
longer than the lease expiry time.

But with ADSL, you get a different IP each and every time you
(re)connect.  No dhcp lease, just a new (and largely unpredictable)
IP address each time.  There is no way to reliably find your server
from the internet your server on such a "fast roaming" address.  Not
unless you do things like use things like IP tunnels from a host
with a permenent IP that is doing port forwarding to your real IP.
Which becomes real messy to set up and manage :)

(I believe that it is possible to use dynamic dns servers, where the
SOA for your domain name is hosted and configured dynamically with a
short live-timeout value.  You simply set up scripts that automate
updates to it each time you reconnect.  But once again, messy, and
probably not a cheap hosting service to use).

Oh you can get a permanent ip with telstra adsl, but last time I
enquired the cost was over $500/month.  (The assumption is that if
you want a permanent IP, then you are wanting to do hosting for
internet services).

> The following is a snippet from an email that Telstra sent out to its
> broadband customers in response to the "qaz trojan" propagating over its
> network back in October 2000:

> Closing Port 139 (also known as the NetBios port) will mean that all
> BigPond customers will no longer be able to use certain functions that
> this port would normally facilitate. In particular, some network sharing
> services (file and print sharing)  through our network will cease
> operating. Volume based plan customers (Blast off and Business Plans) only
> use this feature as hosting servers is a breach of the Acceptable Use
> Policy for Freedom Plan customers.

And a damn good thing telstra hove done for everyone by doing that.
(I wouldn't mind if they blocked a few more ports, it would save me
having to do it :-)

Everyone should block netbios at internet gateways (except for
_very_ specific reasons).

Netbios (which uses tcp/udp ports 137, 138 and 139) is a *local*
area network protocol.  And btw, a very good networking protocol
netbios is for doing just that (which is why microsoft chose to use
it).  It was never designed as a wide area network protocol, eg, the
sorts of services a box may be offering are broadcasts onto the
local network, and much of its functionality depends on this sort of
broadcast traffic.

But as usual with microsoft, there are holes in the implementation
and the security in netbios is bordering on pathetic (a read through
the samba sources can be a revealing experience :-)

imho, netbios ports that are exposed to the internet are simply
invitations for anyone to gain information from and/or access to
that box, and probably others on its local network after that.
(Consider how easy it has been for netbios worms like network.vbs to
get around.  This worm, a simple 100-line visual basic scrip, is
still around after it first appeared, and it just won't go away).

You may have two LANs, eg, in two offices in different physical
locations with a (public) internet connection between them.  If they
need to have netbios working to easily access and share each other's
resources, then this is exactly the sort of situation where IP
tunnels can be a very elegant solution.

But there are so many ip tunnel implementations (there are several
different linux kernel driver modules and user-space
implementations), the problem then becomes... which sort of ip
tunnel to use? :-)   Most of them are relatively trivial to set
up... (not including any firewall configuration), an ipip tunnel can
be working in fewer than 4-5 commands at each end (one to modprobe
the kernel driver, the others to configure the tunnel device and
routing with /sbin/ip).

There are several options available... ipip, gre, ipsec, stunnel,
ssh and so on.  gre tunnels can handle broadcast and multicast
traffic and would probably be the best way to go for netbios, but
compression and/or encryption/ssl might (would?) need to be a
consideration.

  (I'm hoping that others here with experience in using different
  sorts of ip tunnels can continue this discussion).

> Note that they knew that some people were running "services" on their
> Freedom Plan.  They only seem to want to reduce upstream traffic (which
> cable modems are slow at anyway).  So long as you keep your upstream
...

(Ahh, so you _were_ referring to broadband cable).

> Regards,
> Paul Gearon

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/