RE: sunscreen vs netbios

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: Mikael Olsson [mailto:mikael.olsson () clavister com]
> Sent: Monday, October 28, 2002 5:59 PM
> To: todd () bsd uchicago edu
> Cc: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] sunscreen vs netbios
>
>
>
> Todd Anderson wrote:
> > I am having trouble getting sun to allow certian netbios traffic.
> >
> > netbios works if I manually map a share
> > net use x: \\server\share /USER:domain\me
> >
> > however, when I try to browse the network or join a domain 
> I never see a
> > response comming back to the external interface of the 
> sunscreen.  (using
> > snoop)
>
> Generally speaking, MS networks can't be browsed through 
> anything with a
> routing table without extra work.  The reason is their fondness for 
> broadcast name resolution.  Broadcasts never exit the local network.
> (What?!? Is there something other than thin ethernet cable?  Naaah.)

When using NAT and NETBIOS, and routers, a couple of issues come up:

1) Some Netbios commands actually contain the IP addresses in payload; this
affects things such as domain trusts, adding computers to a domain, etc. If
your NAT code is not netbios aware, this can be a Problem. For more info:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q172227

> My guess would be that you need a WINS server on the main 
> network, that 
> you configure your client to use.  Now, instead of only doing 
> broadcast 
> resolution, your client will ask the WINS server where the domain is, 
> and what boxes can be reached. 

2) Without WINS, or the use of an lmhosts file, clients will simply try to
use WINS broadcasts to find servers, which means browsing will not work
unless you can set up the router to forward broadcasts. However, if you have
a domain controller, you can set it up and change the clients to use hybrid
mode; then they will be able to query the WINS server for resolution. The
WINS server will also act as the master browser, and it should work. For
more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q117633

However, if your NAT device is not NETBIOS-aware, WINS will not work
properly across it.

> I am also told that W2K Dynamic DNS 
> will do much of the same, but I Don't Do That. :)

You are correct; W2K DDNS allows clients to update the DNS server when they
come up. Also, it will work across a NAT boundary, since it doesn't depend
on netbios name services.

It sucks, but there it is.

--
Henry
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards