[techtalk] Solution to connectivity problem & Thank you!

curious curious at curious.org
Wed Aug 16 10:30:36 EST 2000 

There is a workaround for NetBIOS authentication thru NAT..
I'm not sure if it was this list I already posted the link on..
here it is again if I have: 
http://www.linuxplanet.com/linuxplanet/print/1159/

 /"\  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
 \ /   ASCII Ribbon Campaign      curious at curious.org
  X   - NO HTML/RTF in e-mail     http://www.curious.org/
 / \  - NO Word docs in e-mail    "This quote is false." -anon

On Wed, 16 Aug 2000, C. M. Martin wrote:

> Hi, everyone,
> 
> All is working here now.  The opinion of the engineer I was working with is
> that the first netstat entry *is* wrong, since the address is outside the
> bounds of our network, but it isn't affecting anything, and my attempts to
> delete and correct the entry with the route command fail.  Since it really
> doesn't break anything, we're going to worry about it later.
> 
> The problems were, as I suspected, simple and stupid.  I had forgotten to add a
> forward -j ACCEPT line for the server on the DMZ to ipchains.  I put one line
> allowing everything, and suddenly everything worked.  Needless to say, I need
> to replace it with specific lines only allowing specific ports.  Yikes!  Once
> that was fixed, tracert (the NT version of traceroute), ping, and so on all
> worked.
> 
> Problem two (equally stupid) is the NetBIOS is *not* routeable, and I was trying
> to route authentication through the firewall.  Duh!  I needed to dual home the
> DC and turn IP forwarding off on that box so that it can't be used to do an
> end-around to get past the firewall.  Consider it another limitation of how
> Microsoft chose to do NT authentication. (Like, who needs domains on more than
> one network and only one or two domain controllers, right?   I mean, we
> all know you should buy at least one extra NT box for each net , don't we?
>  Yuck!)  Geez, I *knew* this, but forgot about.  I've been thinking *nix and not
> thinking Microsoft.
> 
> Anyway, we've got it, and all is well.  I just have a pounding headache from
> hitting my head against the wall like an idiot.  I should have known better!
> 
> Oh, and whoever recommended gfcc as the graphical interface for the firewall: 
> THANK YOU!  It doesn't do everything we'd like, but it's got most of it and my
> Windows-oriented clients can work with it.
> 
> Best,
> Caity
> 
> Caitlyn M. Martin
> NetFerrets
> caitlyn at netferrets.net
> 
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list