Problems with NT domain authentication
volker.tanger@wyae.de
volker.tanger@wyae.de
Wed, 26 Apr 2000 23:05:20 +0200 (CEST)
Greetings!
On 26 Apr, Justin Burket wrote:
> For the past week i've been trying to configure a simple firewall
> that will pass NT domain requests to the other side. Is this possible? is
Should be - even if Micro$oft did a thorough job in inventing weird
protocols. You will have to allow (viewed from the PC starting the
connection)
Source Direction Destination
-------------------------------------------
for SMB/NBT:
TCP/1024-65535 -> TCP/137
UDP/137 -> UDP/137
TCP/1024-65535 -> TCP/138
UDP/138 -> UDP/138
TCP/1024-65535 -> TCP/139
UDP/139 -> UDP/139
for M$-RPC
TCP/1024-65535 -> TCP/135
UDP/135 -> UDP/135
and(!) UDP/1024-65535 <--> UDP/1024-65535
plus the according rules for answer/response packets. I am not sure
wether I listed a bit too much, but my docs are not at hand...
It seems that M$-RPC works a bit like good old FTP - server opening
connection to client. This might bring problems when using NAT (as e.g.
M$-NetMeeting will not work with NAT).
> there some nature of the domain controller that will not alow it to go
> through a NAT box? I'm almost certain it is, i've seen the freeBSD firewall
> code do it with a lmhosts file setup...help
See above. It seems that - at least for some parts of the protocols -
M$ transfers the client IP on application layer (OSI level 7) which is
not altered by NAT.
Bye
Volker
--
Volker Tanger volker.tanger@wyae.de
-===================================-
Research & Development Division, WYAE