RE: Operational impact of filtering SMB/NETBIOS traffic?
From: Jim Mercer [mailto:jim@reptiles.org] Sent: Sunday, November 19, 2000 10:38 AM
On Sun, Nov 19, 2000 at 10:25:18AM -0800, Roeland Meyer wrote:
why does the application need a "share"? can it not just negotiate the information needed without mounting the entire office over a 33.6K connection?
You ARE joking, right? I haven't seen a 33.6K connection in years.
well, you live a sheltered life.
i'm kinda getting tired of people who design/implement wide area applications while wearing blinders.
So am I. Transit providers shouldn't be filtering without specific request.
could you not use an IPSec tunnel from one LAN to another, then run SMB over that tunnel?
is it not possible to use ssh port forwarding to move the packets through a secure tunnel that way?
When I can, that's what I do, via F-Secure port forwarding. However, many shops explicitly block port 22. This kills IPsec as well.
if many shops are explicitly blocking port 22, but allowing SMB, then they need their heads examined.
We agree there. I prefer the SSH connection. That's why we went to the trouble to set it up in the first place.
i'm not sure how port 22 effects IPsec.
Kills it dead, just like SSH.
it seems that you are arguing that filtering SMB will inadvertantly effect a bunch of boneheads that don't know what they are doing beyond point and click.
Say that to a dot-com VP and manage to keep your business relationship (paycheck). If you can do that, I want you on my sales force.
i don't have a problem with that. sure would clear off a bunch of bandwidth from my networks to further enable the users who aren't boneheads (or being managed by boneheads).
The "A" students work in research labs, run by the "B" students, in companies, that are managed by the "C" students, for the owners, that were the "D" students. They may be boneheads, but who has the money?
On Sun, Nov 19, 2000 at 10:56:03AM -0800, Roeland Meyer wrote:
i'm not sure how port 22 effects IPsec.
Kills it dead, just like SSH.
as i understand it, ipsec doesn't use ports.
it seems that you are arguing that filtering SMB will inadvertantly effect a bunch of boneheads that don't know what they are doing beyond point and click.
Say that to a dot-com VP and manage to keep your business relationship (paycheck). If you can do that, I want you on my sales force.
i'm quite happy to blow off business's that have bonehead management. saves me a lot of grief in the long run. i'm quite happy to continue to work with those that have a clue, or are at least willing to listen to someone who has one.
They may be boneheads, but who has the money?
there is more to life than money. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
On Sun, Nov 19, 2000 at 10:56:03AM -0800, Roeland Meyer wrote:
i'm not sure how port 22 effects IPsec.
Kills it dead, just like SSH.
Um, no. BTW, if I ordered a T1 line and some joker showed up with a win2k laptop demanding I open up my firewall so he could log into his PDC, I'd laugh and send hime home. --Adam -- Adam McKenna <adam-sig@flounder.net> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 3:08pm up 162 days, 13:24, 11 users, load average: 0.00, 0.00, 0.00
[ On Sunday, November 19, 2000 at 10:56:03 (-0800), Roeland Meyer wrote: ]
Subject: RE: Operational impact of filtering SMB/NETBIOS traffic?
i'm not sure how port 22 effects IPsec.
Kills it dead, just like SSH.
If your IPsec runs on port 22, then it's not IPsec. :-) So far, in my extremely narrow experience with such matters, I've not yet run accross an end-user access provider who filters real IPsec. I have, finally, started to encounter access providers who filter spoofed source addresses though (and three cheers to them!). I learned about the latter because my home tunnel wasn't capturing quite every packet it should and as a result some asymmetric routing had been going on and I was temporarily under the mistaken impression that my provider had started filtering some legit traffic.
Say that to a dot-com VP and manage to keep your business relationship (paycheck). If you can do that, I want you on my sales force.
I think you're looking at this the wrong way around. If the dot-com VP who pays you isn't in fear of your superior technical capabilities and your control over his or her network then you need to remind that person just how much they depend on you and just how little they want to anger you and that they'd better do things your way or they'll not have a dot-com business to be VP of. Of course if you're just "selling" to the dot-com VP then yes, you're not exactly going to be able to tell them to do things your way unless you're able to present it as a solution to even more problems than they percieve it will present to them. Worse if the techie that the dot-com VP does live in fear of is just as lost on the concepts as their management is, then you should probably try to find a better customer that won't cost you as much to support. :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (4)
-
Adam McKenna -
Jim Mercer -
Roeland Meyer -
woods@weird.com