There is a workaround for NetBIOS authentication thru NAT..
I'm not sure if it was this list I already posted the link on..
here it is again if I have:
http://www.linuxplanet.com/linuxplanet/print/1159/
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign [EMAIL PROTECTED]
X - NO HTML/RTF in e-mail http://www.curious.org/
/ \ - NO Word docs in e-mail "This quote is false." -anon
On Wed, 16 Aug 2000, C. M. Martin wrote:
> Hi, everyone,
>
> All is working here now. The opinion of the engineer I was working with is
> that the first netstat entry *is* wrong, since the address is outside the
> bounds of our network, but it isn't affecting anything, and my attempts to
> delete and correct the entry with the route command fail. Since it really
> doesn't break anything, we're going to worry about it later.
>
> The problems were, as I suspected, simple and stupid. I had forgotten to add a
> forward -j ACCEPT line for the server on the DMZ to ipchains. I put one line
> allowing everything, and suddenly everything worked. Needless to say, I need
> to replace it with specific lines only allowing specific ports. Yikes! Once
> that was fixed, tracert (the NT version of traceroute), ping, and so on all
> worked.
>
> Problem two (equally stupid) is the NetBIOS is *not* routeable, and I was trying
> to route authentication through the firewall. Duh! I needed to dual home the
> DC and turn IP forwarding off on that box so that it can't be used to do an
> end-around to get past the firewall. Consider it another limitation of how
> Microsoft chose to do NT authentication. (Like, who needs domains on more than
> one network and only one or two domain controllers, right? I mean, we
> all know you should buy at least one extra NT box for each net , don't we?
> Yuck!) Geez, I *knew* this, but forgot about. I've been thinking *nix and not
> thinking Microsoft.
>
> Anyway, we've got it, and all is well. I just have a pounding headache from
> hitting my head against the wall like an idiot. I should have known better!
>
> Oh, and whoever recommended gfcc as the graphical interface for the firewall:
> THANK YOU! It doesn't do everything we'd like, but it's got most of it and my
> Windows-oriented clients can work with it.
>
> Best,
> Caity
>
> Caitlyn M. Martin
> NetFerrets
> [EMAIL PROTECTED]
>
>
> _______________________________________________
> techtalk mailing list
> [EMAIL PROTECTED]
> http://www.linux.org.uk/mailman/listinfo/techtalk
>
_______________________________________________
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
