"Les Mikesell" <les,AT,futuresource,DOT,com>|
Re: Redhat9 CIPE|
Fri, 25 Jul 2003 11:20:03 +0900|
Thank you for your advice.
But, If a few WindowsPC is on one LAN without wins server,
these PC can see each other by NetBIOS name.
So, I expected if iptables accepts the transfering port 137:139
through CIPE, I can do it easily.
And then, Though I changed my iptables for this transfering,
cipcb0 could not receive any UDP packets from eth1.
After this, I tryed to use lmhosts in WindowsPC. This test could
not see NetBIOS name (LAN1 to LAN2) directly. But, after searching
of NetBIOS name by explorer, I could use NetBIOS name.
Using lmhosts, cipcb0 received a lot of only TCP packets.(not UDP)
I read CIPE document again, Certainly there is "CIPE encrypted
IP datagrams in UDP datagrams......."
Certainly, Samba is a good solution for us. But If I build Samba into
Firewall system, a new deamon run. I don't say what Samba security
is bad. Sorry my not enough sentense.
I'd like to build this Firewall with a little system deamons as possible.
In the dial-up case, IP address are distributed by DHCP server on
LAN1 for each WindowsPC.
|=== dial-up----Mobile PC
Even if DHCP server manages distributed IP address by MAC
address (almost same as fixed IP), Mobile PC cannot see which
PC turned ON at once.
Ummm, I have to evaluate CIPE more detail.
If you have more information, would you please let me know ?
There are not a lot of information about CIPE in Japan.
----- Original Message -----
From: "Les Mikesell" <les,AT,futuresource,DOT,com>
To: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
Sent: Friday, July 25, 2003 1:35 AM
Subject: Re: Redhat9 CIPE
> On Thu, 2003-07-24 at 10:38, Naoki wrote:
> > Are there any ways to see NetBIOS name without wins server ?
> You need it if you want to be able to browse the network neighborhood
> across any kind of router. This isn't related to cipe at all.
> > I guess, if iptables accepts port 137:139 for CIPE, I can see it.
> > How is my guess ?
> If you know the IP numbers or the netbios names are the same
> as DNS names you can connect to the shared resources without
> WINS involvement.
> > In this situation, I must build a Firewall system with VPN for business.
> > If I build Samba into this system, security will not be good.
> Why do you say that? Compared to Windows, Samba security is excellent.
> > (And, if ClientPC is not on LAN(Ex.dial-up), there is not wins server.)
> Look at the client IP number. I think you'll see that it is on
> the LAN and the server is forwarding broadcasts instead of
> > Though I tryed to use lmhosts in WindowsPC on LAN2, I could not
> > see the another side NetBIOS name on LAN1 directly.
> > After search this NetBIOS name, I could find it.
> It won't show up in the browse list, but like using the IP number
> or DNS name, it lets you connect if you know the resource name.
> > Anyway, I really worry now. Since CIPE is faster than IPsec and is
> > useful for NAT, I'd like to use CIPE very much.
> You are going to have exactly the same issue with any solution
> that works like a router and does not forward broadcasts.
> Les Mikesell