(usr-tc) Filter construction thoough HARM
Well I'm playing around again... I am attempting to install a user filter to suppress the flow of CIFS (SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item. I understand the technology portion of it but getting the nuances is kinda slowing me down. I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter. #filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139; I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again. According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out??? I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it. Anyway, am I even close to getting this to run <grin>.... Regards, Steve Sherwick - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
If you're talking windows machines you gotta be carefull about ports 137-139. Windows does ALL access to the outside world through those 3 ports. If you filter them you will most likely sever any connection it tries to make. Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Thu, 25 Nov 1999, Steve Sherwick wrote:
Well I'm playing around again...
I am attempting to install a user filter to suppress the flow of CIFS (SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item.
I understand the technology portion of it but getting the nuances is kinda slowing me down.
I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter.
#filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139;
I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again.
According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out???
I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it.
Anyway, am I even close to getting this to run <grin>....
Regards,
Steve Sherwick
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Which is essentially the reason for wanting a user filter, I have people bouncing around in each others Network Neighborhoods. While instruction would be better 98% of my customer traffic will never need to use CIFS. The small proportion that might should be running VPN anyway. Also if someone needs it I can drill a hole for them. It's pretty much a reaction to bad press here due to the Cable Access providers. They had a rash of people getting directory listings of customer hard drives and emailing them to their customer base. Things like bank account balances and indexes of their porn collections <sigh>. So basicly I get to be my brothers keeper..... Regards, Steve
If you're talking windows machines you gotta be carefull about ports 137-139. Windows does ALL access to the outside world through those 3 ports. If you filter them you will most likely sever any connection it tries to make.
Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 25 Nov 1999, Steve Sherwick wrote:
Well I'm playing around again...
I am attempting to install a user filter to suppress the flow of
CIFS
(SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item.
I understand the technology portion of it but getting the nuances is kinda slowing me down.
I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter.
#filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139;
I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again.
According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out???
I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it.
Anyway, am I even close to getting this to run <grin>....
Regards,
Steve Sherwick
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
I'm pretty sure that you will lose the ability to send DNS responses through your filter. DNS has a dest port number of 53 (udp) but a src port number (the packet coming from the windows machine) will be 137-9. I've tried to filter netbios via filters, cut off ALL 137-139 traffic, and the windows PC would not load pages, get DNS info, nothing. I tried this with 95 using Winsock 1, I haven't tried 98, but my guess is that it will be the same. Let me know if it works for you. Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Fri, 26 Nov 1999, Steve Sherwick wrote:
Which is essentially the reason for wanting a user filter, I have people bouncing around in each others Network Neighborhoods. While instruction would be better 98% of my customer traffic will never need to use CIFS. The small proportion that might should be running VPN anyway. Also if someone needs it I can drill a hole for them.
It's pretty much a reaction to bad press here due to the Cable Access providers. They had a rash of people getting directory listings of customer hard drives and emailing them to their customer base. Things like bank account balances and indexes of their porn collections <sigh>.
So basicly I get to be my brothers keeper.....
Regards,
Steve
If you're talking windows machines you gotta be carefull about ports 137-139. Windows does ALL access to the outside world through those 3 ports. If you filter them you will most likely sever any connection it tries to make.
Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 25 Nov 1999, Steve Sherwick wrote:
Well I'm playing around again...
I am attempting to install a user filter to suppress the flow of
CIFS
(SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item.
I understand the technology portion of it but getting the nuances is kinda slowing me down.
I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter.
#filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139;
I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again.
According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out???
I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it.
Anyway, am I even close to getting this to run <grin>....
Regards,
Steve Sherwick
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Hmmmm, This is interesting, I've had 137-139 filtered on the backbone T1's for better than a year....I also have them filtered on another NAS (not 3COM). I'll be working on this again early next week and will let you know. Steve
I'm pretty sure that you will lose the ability to send DNS responses through your filter.
DNS has a dest port number of 53 (udp) but a src port number (the packet coming from the windows machine) will be 137-9. I've tried to filter netbios via filters, cut off ALL 137-139 traffic, and the windows PC would not load pages, get DNS info, nothing. I tried this with 95 using Winsock 1, I haven't tried 98, but my guess is that it will be the same.
Let me know if it works for you.
Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Fri, 26 Nov 1999, Steve Sherwick wrote:
Which is essentially the reason for wanting a user filter, I have
people
bouncing around in each others Network Neighborhoods. While instruction would be better 98% of my customer traffic will never need to use CIFS. The small proportion that might should be running VPN anyway. Also if someone needs it I can drill a hole for them.
It's pretty much a reaction to bad press here due to the Cable Access providers. They had a rash of people getting directory listings of customer hard drives and emailing them to their customer base. Things like bank account balances and indexes of their porn collections <sigh>.
So basicly I get to be my brothers keeper.....
Regards,
Steve
If you're talking windows machines you gotta be carefull about ports 137-139. Windows does ALL access to the outside world through those 3 ports. If you filter them you will most likely sever any connection it tries to make.
Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 25 Nov 1999, Steve Sherwick wrote:
Well I'm playing around again...
I am attempting to install a user filter to suppress the flow of
CIFS
(SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item.
I understand the technology portion of it but getting the nuances is kinda slowing me down.
I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter.
#filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139;
I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again.
According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out???
I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it.
Anyway, am I even close to getting this to run <grin>....
Regards,
Steve Sherwick
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Even worse there are some utilities which can scan an entire subnet and attach to any share it finds. We use a filter to stop this and assign it on a user by user basis via RADIUS. Jeff Binkley ASA Network Computing U> Which is essentially the reason for wanting a user filter, I have U>people bouncing around in each others Network Neighborhoods. While U>instruction would be better 98% of my customer traffic will never need U>to use CIFS. The small proportion that might should be running VPN U>anyway. Also if someone needs it I can drill a hole for them. U> It's pretty much a reaction to bad press here due to the Cable U>Access providers. They had a rash of people getting directory listings U>of customer hard drives and emailing them to their customer base. U>Things like bank account balances and indexes of their porn U>collections <sigh>. U> So basicly I get to be my brothers keeper..... U> Regards, U> Steve U>> If you're talking windows machines you gotta be carefull about ports U>> 137-139. Windows does ALL access to the outside world through those U>> 3 ports. If you filter them you will most likely sever any U>> connection it tries to make. U>> U>> Paul Farber U>> Farber Technology U>> farber@admin.f-tech.net U>> Ph 570-628-5303 U>> Fax 570-628-5545 U>> U>> On Thu, 25 Nov 1999, Steve Sherwick wrote: U>> U>> > Well I'm playing around again... U>> > I am attempting to install a user filter to suppress the flow U>of CIFS U>> > (SMB) communications through the HiPer ARC. My intent is to U>> > control the filters behavior by way of RADIUS and the U>> >Framed-Filter-Id= reply item. U>> > I understand the technology portion of it but getting the U>> > nuances is kinda slowing me down. U>> > I understand I need to create a named filter (In this case I U>named it U>> > NOCIFS) which I have managed to do with HARM. This is the filter. U>> > #filter U>> > IP: U>> > 1 REJECT udp-src-port = 137; U>> > 2 REJECT udp-src-port = 138; U>> > 3 REJECT udp-src-port = 139; U>> > I'm making the assumption that unlike many routers you may U>selectively U>> > Reject without having to allow everything else again. U>> > According to the minimal documentation I've found there has to U>> > be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. U>HARM however U>> > does not allow you to create a named filter with an extension. U>> > Does it create an in and an out automagically?? Or how does one do U>this??? In other U>> > words, how does HARM differentiate an In from an Out??? U>> > I'm fairly sure I can fool around with the CLI and get this to U>fly but U>> > the HARM should be able to handle it. U>> > Anyway, am I even close to getting this to run <grin>.... U>> > Regards, U>> > Steve Sherwick U>> > - U>> > To unsubscribe to usr-tc, send an email to U>> > "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of U>> > the message. For information on digests or retrieving files and U>> > old messages send "help" to the same address. Do not use quotes U>> >in your message. U>> U>> U>> - U>> To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" U>> with "unsubscribe usr-tc" in the body of the message. U>> For information on digests or retrieving files and old messages U>> send "help" to the same address. Do not use quotes in your U>> message. U>- U> To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" U> with "unsubscribe usr-tc" in the body of the message. U> For information on digests or retrieving files and old messages send U> "help" to the same address. Do not use quotes in your message. CMPQwk 1.42 9999 - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
On Thu, 25 Nov 1999, Steve Sherwick wrote:
Well I'm playing around again...
I am attempting to install a user filter to suppress the flow of CIFS (SMB) communications through the HiPer ARC. My intent is to control the filters behavior by way of RADIUS and the Framed-Filter-Id= reply item.
I understand the technology portion of it but getting the nuances is kinda slowing me down.
I understand I need to create a named filter (In this case I named it NOCIFS) which I have managed to do with HARM. This is the filter.
#filter IP: 1 REJECT udp-src-port = 137; 2 REJECT udp-src-port = 138; 3 REJECT udp-src-port = 139;
I'm making the assumption that unlike many routers you may selectively Reject without having to allow everything else again.
According to the minimal documentation I've found there has to be a NOCIFS.IN and a NOCIFS.OUT file in the ARC for this to work. HARM however does not allow you to create a named filter with an extension. Does it create an in and an out automagically?? Or how does one do this??? In other words, how does HARM differentiate an In from an Out???
Well filters have various levels of application. meaning you have a input and out put filter on the interface, you have a input and output filter for the user. Now in your case since you are going to create a filter that is going to filter the netbios traffic you can create the filter as a input filter and apply it on the interface. So anything from the user (into the hiper arc) will be filtered. for this you need to create just any filter no in or out necessary, just put the filer on all the modem group interfaces. in and out for the filters are necessary only if you are using user filters and sending the filter name from radius using the standard radius attribute framed-filter-id krish
I'm fairly sure I can fool around with the CLI and get this to fly but the HARM should be able to handle it.
Anyway, am I even close to getting this to run <grin>....
Regards,
Steve Sherwick
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
participants (4)
-
farber@admin.f-tech.net -
jeff.binkley@asacomp.com -
Steve Sherwick -
Tatai SV Krishnan