Hi all
With some friends I use a samba server to easily exchange documents. Especialy the windows offline files funcionality makes it the best tool I could find for my purpose.
Now I have two different people reporting they don't manage to connect my samba server. It turned out, both of them live in Winterthur and have Cablecom as ISP.
I have tested the connection from a Cablecom Customer in another town and it worked perfectly.
I would understand if an ISP blocks incomming SMB connections as probably some customers unawarely share their $disk, but outgoing connections?
Can somebody confirm that cablecom blocks outgoing smb connections from customers in Winterthur?
-Benoit-
Hi Benoit,
Benoit Panizzon wrote:
Can somebody confirm that cablecom blocks outgoing smb connections from customers in Winterthur?
No, I actually can't. But I would very much appreciate it if it were the case. If you have a closer look at your firewall-log you will probably see why. CIFS is not a protocol I would use for exchanging files over the internet directly. I don't care if there's a vpn below - but direct CIFS is not what I would recommend at all.
I have a current malicious traffic of about 100KBit/s coming from some chinese ISPs... most time they try to accesss ports 138/139 and 445.
CU Tobias
Hi
Tobias Goeller schrieb:
I have a current malicious traffic of about 100KBit/s coming from some chinese ISPs... most time they try to accesss ports 138/139 and 445.
That's incomming traffic, I guess. Blocking that is a good idea.
Blocking outgoing smb is not entirely pointless too since it stops scans for open shares at the source. I agree with you that it's better to use CIFS in a tunnel since it's everything else but secure.
Regards Peter
Hi,
Peter Guhl Listenempfänger wrote:
That's incomming traffic, I guess. Blocking that is a good idea.
True. I don't know Cablecom's network structure but I think blocking outgoing traffic will deny you to connect any other share, too (since you're not able to open a CIFS connection).
Blocking outgoing smb is not entirely pointless too since it stops scans for open shares at the source. I agree with you that it's better to use CIFS in a tunnel since it's everything else but secure.
The users I have on my network are only allowed to access the really required ports. Direct SMTP and other funny things as well as SMB/CIFS is blocked by the firewall. As for MSN (ieck!) I only allow the chat-protocol - downloads are blocked.
I really don't want them to open up shares over the internet especially since they really have no clue what they're doing (if they weren't my neighbours they'd probably use AOL).
If they use VPN, however, this is not blocked in any way.
CU Tobias
Tobias Goeller wrote: [..]
The users I have on my network are only allowed to access the really required ports. Direct SMTP and other funny things as well as SMB/CIFS is blocked by the firewall. As for MSN (ieck!) I only allow the chat-protocol - downloads are blocked.
You are blocking port 80? Wow.
Greets, Jeroen
Tobias Goeller wrote:
Hi Jerome,
Jeroen Massar wrote:
You are blocking port 80? Wow.
Yes, partly. I force those users to use a proxy-system... works quite well.
How exactly does that help anything? Users will then simply run the same protocols over your proxy, or DNS or whatever method they can find their way out.
It will only make it a hassle for them to configure all the time, and for you there is no gain as you won't be able to tell more or less about the actual usage as people suddenly start VPN'ing and tunneling all over the place.
Though this might 'help' (ahum) for worms and other such malicious tools which don't understand that they can pick the configuration items for the proxy from IE or Firefox configuration, it won't help a thing for anything else.
Greets, Jeroen
Jeroen Massar jeroen@unfix.org 2007-12-12:
Tobias Goeller wrote:
Jeroen Massar wrote:
You are blocking port 80? Wow.
Yes, partly. I force those users to use a proxy-system... works quite well.
How exactly does that help anything? [...] Though this might 'help' (ahum) for worms and other such malicious tools which don't understand that they can pick the configuration items for the proxy from IE or Firefox configuration, it won't help a thing for anything else.
By enforcing a proxy, you have the option of content filtering, either by MIME type or by running files through an AV scanner. It does not solve all problems, but can solve some of them. (At a cost, of course.)
-Dan
Hi Jeroen,
First of all, it's a transparent proxy so there's nothing like a proxy.pac or anything else for configuration. The proxy just sits there, listens and filters. Can be done with a variety of tools like squid, dansguardian and some more. The most advanced I know is the proxy combination Astaro uses at current. My installation is - by far - simpler.
Second, I'm not talking about users who know what they're doing. The users I host are in fact users who have absolutely no clue about what they're doing at all. Some of them even struggle with right-clicks and left-clicks. If they click, it's mostly the very well known "klick-you-should-not-have-done". It's challenging for them to use E-Mail. And it's even more challenging for them not to open up a message of a sender they don't know.
It's the sort of users AOL may be sending away because they think this kind of people should not be allowed to use electricity at all.
And, to make one thing clear: I'm not serving 1000s of users. I'm, in fact, serving about 10-20 users in the neighborhood. As I get all the calls when something goes wrong anyway I have choosen the proxy to get rid of those IE, FF & MSN viruses.
The virus-scanner included in the proxy is keeping out most of the stuff (and there's quite a lot according to the log-file).
For skype this is not yet possible. But for "my" users, they're not even using it with the exception of about two or three of them.
I absolutely agree with you that the solution I have is probably an (perhaps even excellent) solution for a problem that should never have existed in the first place.
CU tobias
Hello Benoit
Benoit Panizzon wrote:
Now I have two different people reporting they don't manage to connect my samba server. It turned out, both of them live in Winterthur and have Cablecom as ISP.
I have tested the connection from a Cablecom Customer in another town and it worked perfectly.
I guess this is probably the behavior of a NAT router and/or firewall which is in use at your friends place. For testing purposes, connect the Computer directly to the cable modem and try to connect to the Samba server.
Could also be a personal firewall on the friends computer.
bye Fabian
-
Benoit Panizzon -
Daniel Roethlisberger -
Fabian Wenk -
Jeroen Massar -
Peter Guhl Listenempfänger -
Tobias Goeller