<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
Subject: Re: Redhat9 CIPE
From: "Les Mikesell" <les,AT,futuresource,DOT,com>
Date: Thu, 24 Jul 2003 22:04:06 -0500
Cc: <cipe-l,AT,inka,DOT,de>
References: <000c01c351f9$9217b680$c801a8c0@naoki3> <1059064503.11694.68.camel@moola.futuresource.com> <002a01c35253$445dd870$c801a8c0@naoki3>

>From: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>

>  But, If a few WindowsPC is on one LAN without wins server,
> these PC can see each other by NetBIOS name.
> 
>         PC1-----PC2-----PC3----PCn
> 
>  So, I expected if iptables accepts the transfering port 137:139
> through CIPE, I can do it easily.

Netbios name exchanges use several fairly complex schemes but
all of them except WINs rely on broadcasts.  The LAN sends
broadcasts everywhere.  Cipe acts like a router instead and
only forwards to specific addresses.

>  And then, Though I changed my iptables for this transfering,
> cipcb0 could not receive any UDP packets from eth1.

It isn't UDP vs. TCP.  Cipe forwards UDP or you wouldn't get
DNS queries or results through it.

>  I read CIPE document again, Certainly there is "CIPE encrypted
> IP datagrams in UDP datagrams......."
> ^^^^^^^^^^^^^

"IP" includes both TCP and UDP.   

> Certainly, Samba is a good solution for us. But If I build Samba into
>Firewall system, a new deamon run. I don't say what Samba security
>is bad. Sorry my not enough sentense.
 >I'd like to build this Firewall with a little system deamons as possible.

It is not necessary for the WINS server to be on the firewall.   It can be
any samba, NT, or win2k server that all the machines can reach.  However
the IP address of the WINS server must be configured on each client.  This
can be done through the DHCP service and is the easiest way to handle
the issue if the LANs will always be connected and really need to be able
to discover otherwise unknown servers.  (Personally I think if people don't
know a server name they shouldn't be connecting to it...).

>  In the dial-up case, IP address are distributed by DHCP server on
> LAN1 for each WindowsPC.
> 
> 192.168.0.0/24                                    192.168.10.0/24
> LAN1----------GW1========GW2------------LAN2
>              DHCP               |
>                                     |=== dial-up----Mobile PC
> 
>  Even if DHCP server manages distributed IP address by MAC
> address (almost same as fixed IP), Mobile PC cannot see which
> PC turned ON at once.

The dial-up gateway is forwarding broadcasts and making it appear
that the mobile PC is on the LAN.   That's not too bad for a single
machine but there are good reasons that routers do not forward
broadcasts between connected LANs.

>  Ummm, I have to evaluate CIPE more detail.

Again, this is a routing issue unrelated to CIPE.   You would see
exactly the same thing if you used a frame relay or other private
point-to-point connection.  Cipe simply emulates interfaces with
such a connection. 

>  If you have more information, would you please let me know ?
> There are not a lot of information about CIPE in Japan.

The samba documentation contains a good description of how
browsing is supposed to work:
http://www.jp.samba.org/samba/ftp/docs/textdocs/BROWSING.txt

---
  Les Mikesell
    les,AT,futuresource,DOT,com


<< | Thread Index | >> ]    [ << | Date Index | >> ]