Firewall Wizards mailing list archives
RE: sunscreen vs netbios
From: Henry Sieff <hsieff () orthodon com>
Date: Tue, 29 Oct 2002 15:51:27 -0600
-----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () clavister com] Sent: Monday, October 28, 2002 5:59 PM To: todd () bsd uchicago edu Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] sunscreen vs netbios Todd Anderson wrote:I am having trouble getting sun to allow certian netbios traffic. netbios works if I manually map a share net use x: \\server\share /USER:domain\me however, when I try to browse the network or join a domainI never see aresponse comming back to the external interface of thesunscreen. (usingsnoop)Generally speaking, MS networks can't be browsed through anything with a routing table without extra work. The reason is their fondness for broadcast name resolution. Broadcasts never exit the local network. (What?!? Is there something other than thin ethernet cable? Naaah.)
When using NAT and NETBIOS, and routers, a couple of issues come up: 1) Some Netbios commands actually contain the IP addresses in payload; this affects things such as domain trusts, adding computers to a domain, etc. If your NAT code is not netbios aware, this can be a Problem. For more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q172227
My guess would be that you need a WINS server on the main network, that you configure your client to use. Now, instead of only doing broadcast resolution, your client will ask the WINS server where the domain is, and what boxes can be reached.
2) Without WINS, or the use of an lmhosts file, clients will simply try to use WINS broadcasts to find servers, which means browsing will not work unless you can set up the router to forward broadcasts. However, if you have a domain controller, you can set it up and change the clients to use hybrid mode; then they will be able to query the WINS server for resolution. The WINS server will also act as the master browser, and it should work. For more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q117633 However, if your NAT device is not NETBIOS-aware, WINS will not work properly across it.
I am also told that W2K Dynamic DNS will do much of the same, but I Don't Do That. :)
You are correct; W2K DDNS allows clients to update the DNS server when they come up. Also, it will work across a NAT boundary, since it doesn't depend on netbios name services. It sucks, but there it is. -- Henry _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- sunscreen vs netbios Todd Anderson (Oct 28)
- Re: sunscreen vs netbios Mikael Olsson (Oct 28)
- Re: sunscreen vs netbios Jim MacLeod (Oct 28)
- <Possible follow-ups>
- RE: sunscreen vs netbios Henry Sieff (Oct 29)
- RE: sunscreen vs netbios Elizabeth Zwicky (Oct 30)