Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Re: NetBios Filters
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is my contribution to controlling the line bring up problem.
The clients I have applied these to ARE NOT using TCP Microsoft
Networking, on their local LAN, TCP is only for Internet use, I have
always disabled the bindings for Microsoft TCP networking .
Hope this may help.
************************
In NT
Network: TCP/IP Protocol (Properties): WINS Address
Disable DNS for Windows Resolution
************************
http://www.microsoft.com/kb/articles/q137/3/68.htm
- - - - -Microsoft's DNS Bug Information
Microsoft Knowledge Base
How to Disable NetBIOS Name Resolution on DNS
Last reviewed: May 1, 1997 Article ID: Q137368
The information in this article applies to: Microsoft Windows 95
IMPORTANT: This article contains information about editing the
registry. Before you edit the registry, you should first make a
backup copy of the registry files (System.dat and User.dat). Both are
hidden files in the Windows folder. SUMMARY This article describes
how to disable NetBIOS name resolution on a domain- name system (DNS)
while retaining other DNS functionality. MORE INFORMATION When
Windows 95 tries to resolve a NetBIOS name using a NetBIOS name
server, it first checks a Windows Internet Name Service (WINS)
server, and then checks a DNS server. WARNING: Using Registry Editor
incorrectly can cause serious problems that may require you to
reinstall Windows 95. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved.
Use Registry Editor at your own risk. NOTE: For information about
how to edit the registry, view the Changing Keys And Values online
Help topic in Registry Editor (Regedit.exe). Note that you should
make a backup copy of the registry files (System.dat and User.dat)
before you edit the registry. To disable NetBIOS name resolution on
a DNS server, change the string value EnableDNS in the registry
key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP from 1
to 0.
query words: 95 black hole tcp/ip Keywords : kbnetwork kbusage msnets
win95 Version : 95 Platform : WINDOWS </SPAN> THE INFORMATION
PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY. Last reviewed: May 1, 1997 ©1997 Microsoft Corporation.
All rights reserved. Legal Notices </MISC/CPYRIGHT.HTM>.
************************
An ascend filter that was passed on to me that may help:
START=FILT=200=0
Name=Windows Call
In filter 01...Valid=Yes
Out filter 01...Valid=Yes
Out filter 01...Type=IP
Out filter 01...Ip...Protocol=17
Out filter 01...Ip...Src Port Cmp=Eql
Out filter 01...Ip...Src Port #=137
Out filter 01...Ip...Dst Port Cmp=Eql
Out filter 01...Ip...Dst Port #=137
Out filter 02...Valid=Yes
Out filter 02...Type=IP
Out filter 02...Ip...Protocol=17
Out filter 02...Ip...Src Port Cmp=Eql
Out filter 02...Ip...Src Port #=138
Out filter 02...Ip...Dst Port Cmp=Eql
Out filter 02...Ip...Dst Port #=138
Out filter 03...Valid=Yes
Out filter 03...Type=IP
Out filter 03...Ip...Protocol=17
Out filter 03...Ip...Src Port Cmp=Eql
Out filter 03...Ip...Src Port #=139
Out filter 03...Ip...Dst Port Cmp=Eql
Out filter 03...Ip...Dst Port #=139
Out filter 04...Valid=Yes
Out filter 04...Type=IP
Out filter 04...Generic...Forward=Yes
Out filter 04...Ip...Forward=Yes
END=FILT=200=0
At 10:56 PM 10/7/97 +0100, you wrote:
>I just read the FAQ Kevin Smith mentioned for the description of
NetBEUI
>filters (http://www.ascend.com/faqs/750/786-faq.html) and it looks
to me
>that a long, long thread is going to start again in this list...
>
>Basically it describes how to filter UDP traffic on ports 137-139.
I've
>tried that in the past (having a NT 3.51 workstation behind a P50)
with
>little success. As suggested on this list I even filtered TCP
traffic on
>these ports with the same effect. Strange, before joining the Ascend
>list I always thought that Ethernet traffic in general and binary
>matches in particular were deterministic actions, i.e. when I do
exactly
>what somebody else describes what I have to do to filter some sort
of
>traffic it would just work. I am not sure anymore ;->
>
>Then I used the debug method to determine the packet that causes the
>dial-out (debug mode/wdd). It looked like:
>
>WD_DIALOUT_DISP: chunk 25B6DE type OLD-STYLE-PADDED.
>: 44 octets @ 2864A8
>
>00 C0 7B 5C DD A7 destination MAC
>00 00 C0 D3 9D AD source MAC
>08 00 type IP
>45 00 00 2C 8B 54 ???
>40 00 1F 06 13 B1 ???
>FF D9 61 12 149.xxx.97.18 <NT host>
>FF D9 30 02 149.xxx.48.2 <DNS name server>
>06 C8 00 6E 2E CC ???
>4F 59 00 00 ???
>
>I couldn't decode it fully but from the addresses I guessed it was a
>WINS call to the name server, thus totally legal.
>In contrast to the FAQ I think that configuring WINS is not causing
>grief for NT users. WINS is comparable to DNS, it's a service you
need
>on the LAN. If you filter it you'll miss it. Of course, the local NT
>machines should be listed in a local LMHOSTS file to reduce this
kind of
>traffic.
>
>Still not happy with a call every 10 minutes I searched the MS
>website/Knowledge Base for the dialup issue. I found two texts
dealing
>with NT browser lookups and Domain Controller lookups:
>
>Information on Browser Operation
>Article ID: Q102878
>Revision Date: 24-SEP-1996
>
>Browsing & Other Traffic Incur High Costs over ISDN Routers
>Article ID: Q134985
>Revision Date: 03-SEP-1996
>
>In essence my trouble started when I connected to a NT domain and
became
>part of it. When I log off NT generates a list of all known domains
the
>NT workstation is part of and this causes a dial-out. Solution: I
don't
>log off anymore :-)
>
>And there are frequent browser updates and such associated with
domain
>membership as outlined in the first MS article. In the second MS
article
>I found registry keys which control the frequency of the updates. I
>changed them from 10 minutes to 1 day and I can live with it now.
>
>This "solution" does not impair NT browsing other than the browsing
list
>sometimes is 1 day old whereas with filtering I would not get any
>browsing information. (Besides, filtering did never work for me,
either
>because I am too dumb to copy Ascend's FAQ or I mix up In and
Out...)
>
>Then somebody suggested using IP only. Of course you can transfer
files
>with an ftp client, you could mount NFS drives using 3rd party
software,
>you could even telnet into a NT box with additional software. But,
alas,
>there is one thing I experienced that will only work with NetBEUI
>enabled. Sometimes the remote domain controller won't authenticate
me.
>For whatever reasons (mumble, mumble, "Your set of permissions do
not
>match the requested permissions..."), and sure next day it _will_
let me
>in.
>The workaround is to mount an NT drive in File Manager (via NetBEUI)
- -
>the only place where NT will ask you for a username and password if
it
>thinks you are not authorized to come in the easy way. All other
silent
>logins (via RPC) will not ask but refuse the request. The eventlog
for
>example. So I keep NetBEUI alive, and sometimes it's only convenient
to
>mount a drive in File Manager.
>
>Hope this makes the "NT filtering" thing a bit easier for all of us
who
>are suffering from MS operating systems. One day MS will give up
NetBEUI
>altogether in favor of IP and Ascend's users will be happy again.
>
>Sorry if this post got a bit longer.
>
>Cheers,
> Wolfgang
>
>_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-
> B E N E I C K E
> EDV-Beratung
>_____________________________________________________________________
___
> Netzwerk-Design - 3Com Solution Partner
> ISDN Remote Access - ASCEND Vertrieb
> DIGITAL PC-Systeme und Server
> ApplePoint
> Windows NT-Netzwerke
> Unix Workstation-Peripherie
>
>Dr. Wolfgang Beneicke fon +49-6223-
48126
>Fasanenstrasse 16, D-69251 Gaiberg fax +49-6223-
5708
>...near world famous Heidelberg, Germany
>_-_-_-_-_s-c_h-n_i-p_p_-_-_-_-_-_-_-_-_-_--_-_-_-_-_-_-_-_z-a_c-k_-_-
_-_
>++ Ascend Users Mailing List ++
>To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
>To get FAQ'd: <http://www.nealis.net/ascend/faq>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNDvSizFXdCayiTaREQJSygCff947QDrXeYnK4JDyphO7IN808/IAoLA2
/mto0UMAkJ4CdM122MYB/94C
=sM2E
-----END PGP SIGNATURE-----
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>