blocking my internal network a bit

Support section for FREESCO v0.4.x

blocking my internal network a bit

Postby strampke » Thu Oct 07, 2010 2:07 pm

Hi,

@work I have a network with 8 workstaions all XP pro, a server XP pro and a nice freesco 0.4.2 to make it work.
Using Freesco one can create a LAN as large as you want while XP restricts your network to a max of 5 computers

One of the computers inside my network is in a more or less public room.
Windows uses Pervasive btrieve software for most of the work @work.
All workstations get their data from a shared windows drive named O: which points to an XP machine being used as a file server.

Thanks to Freesco's restrict.cfg I have been able to stop people from connection to facebook and hotmail during working hours.
Code: Select all
be,66.220.156.0/24,800,1200    # facebook
be,66.220.156.0/24,1300,1700
be,69.63.0.0/16,800,1200       # facebook
be,69.63.0.0/16,1300,1700
be,65.54.165.0/24,800,1200     # login.live.com
be,65.54.165.0/24,1300,1700
be,65.54.186.0/24,800,1200     # login.live.com
be,65.54.186.0/24,1300,1700
be,213.199.164.110,800,170     # msn
be,213.199.164.110,1300,1700

Now I want to cut off the shared O: drive on this XP machine outside working hours by cutting it off in the background using Freesco blocking some ports.

Is this possible?

Strampke

ports 137, 445 ??
Last edited by strampke on Fri Oct 08, 2010 4:03 pm, edited 2 times in total.
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby Lightning » Thu Oct 07, 2010 6:22 pm

Is this possible?
Yes and No, It is possible to do what you are asking IF the shared network drive computer is on a different internal subnet. But it is not possible for FREESCO to control internal traffic within a single subnet. In other words the traffic to this machine must go through FREESCO and not just be accessible from FREESCO. So to really do what you are asking will require a router with three network cards.

I am unfamiliar with the bandwidth requirements this shared drive requires. But it might be beneficial for the two internal network cards to be Gigabit.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: blocking my internal network a bit

Postby strampke » Fri Oct 08, 2010 3:57 pm

How could I be so stupid not to think before I asked.
Nevertheless this can be usefull for others.

In XP
This is how I shut of the XP professional file server at 19.00 each day: Create a task:
Code: Select all
C:\WINDOWS\system32\shutdown.exe -s -t 00


On the Freesco box with CRON
This is how I start the XP file server every day from monday to friday at 7.30 :
Code: Select all
30 7 * * 1-5 wakelan 00:11:22:33:44:55

where CRON is the Linux timer in Freesco, wakelan a Freesco package to send a magic packet to wake up a computer in your LAN and 00:11:22:33:44:55 the MAC address of the NIC on the computer to be woken up.
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby strampke » Sat Oct 09, 2010 2:04 pm

and the rest is fixed too.
By adding some more rules to restrict.cfg in such a way that the workstations cannot communicate over the LAN with the file server.
Code: Select all
bl,137,10.0.0.46,0000,730   # poorten van de server voor LAN van 1900 to 07.30
bl,137,10.0.0.46,1900,2359
bl,138,10.0.0.46,0000,730   
bl,138,10.0.0.46,1900,2359
bl,139,10.0.0.46,0000,730   
bl,139,10.0.0.46,1900,2359
bl,445,10.0.0.46,0000,730   
bl,445,10.0.0.46,1900,2359
bl,137,10.0.0.46,0000,2359,6   # poorten van de server za + zo
bl,137,10.0.0.46,0000,2359,0
bl,138,10.0.0.46,0000,2359,6 
bl,138,10.0.0.46,0000,2359,0
bl,139,10.0.0.46,0000,2359,6 
bl,139,10.0.0.46,0000,2359,0
bl,445,10.0.0.46,0000,2359,6 
bl,445,10.0.0.46,0000,2359,0

Ports 137,138,139 and 445 are blocked outside working hours and in the weekend.
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby strampke » Wed May 04, 2011 9:18 am

I have to come back from my being satisfied about blocking the LAN
I blocked ports 137,138,139 and 445 but still all clients can retrieve data from the file server
Like this:
Code: Select all
bl,137,10.0.0.46
bl,137,10.0.0.46
bl,138,10.0.0.46
bl,139,10.0.0.46
bl,445,10.0.0.46


How come btrieve clients can still communicate and retrieve data from 10.0.0.46

I have forbidden that, didn't I?
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby Lightning » Thu May 05, 2011 3:42 am

bl,137,10.0.0.46
bl,138,10.0.0.46
bl,139,10.0.0.46
bl,445,10.0.0.46
I had not really paid much attention to your list before as you stated it was working. But looking at the new list and the old list it should be "blp" and NOT "bl" as you have it if you want to include a port.

bl = Ban Local
blp = Ban Local Port
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: blocking my internal network a bit

Postby strampke » Thu May 05, 2011 5:20 pm

THANKS!
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby strampke » Thu May 12, 2011 11:55 am

The THANKS was meant for the swift response.
However, despite the blocking the local network is as tranparant as ever.
Exchanging files between 10.0.0.46 and the rest of the LAN is without constraints.

Do I do something wrong or is it the command that isn't implemented in 0.4.3
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby Lightning » Fri May 13, 2011 8:53 pm

Hmmm I wonder if this is because the response port is not the same as the server port. What you may need to do is to ban the other subnet rather than trying to ban the server. Not knowing what the other subnet is it might be something like this

blp,137,192.168.1.0/24

If this still does not work then try the firewall in "s" mode. If that also does not work then please provide a report with this command and attach it.

report netinfo
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: blocking my internal network a bit

Postby strampke » Sun May 15, 2011 4:02 pm

The whole subnet is 10.0.0.x
So blp,137,10.0.0.0/24 maybe would do the trick.
I'll try and come back on the subject.
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby strampke » Sat May 21, 2011 9:17 am

Well, I am sorry to say so, but even with
Code: Select all
blp,137,10.0.0.0/24,0000,730   # poorten van de server voor LAN van 1900 to 07.30
blp,137,10.0.0.0/24,1900,2359
blp,138,10.0.0.0/24,0000,730   
blp,138,10.0.0.0/24,1900,2359
blp,139,10.0.0.0/24,0000,730   
blp,139,10.0.0.0/24,1900,2359
blp,445,10.0.0.0/24,0000,730   
blp,445,10.0.0.0/24,1900,2359
blp,137,10.0.0.0/24,0000,2359,6   # poorten van de server za + zo
blp,137,10.0.0.0/24,0000,2359,0
blp,138,10.0.0.0/24,0000,2359,6 
blp,138,10.0.0.0/24,0000,2359,0
blp,139,10.0.0.0/24,0000,2359,6 
blp,139,10.0.0.0/24,0000,2359,0
blp,445,10.0.0.0/24,0000,2359,6 
blp,445,10.0.0.0/24,0000,2359,0

I can continue to do anything inside the LAN

To be shure that the concept is being understood I write it down again.
10.0.0.46 is a fileserver for BTrieve 6.15
Every client runs its own software which uses BTrieve and the data is stored on 10.0.0.46

I thought that blocking the mentioned windows ports might block BTrieve communication.
Maybe BTrieve uses other ports and not the common Windows ports.
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby Lightning » Sat May 21, 2011 9:42 am

Try blocking port 3351 tcp and udp and see what happens.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: blocking my internal network a bit

Postby strampke » Sat May 21, 2011 4:33 pm

It seems my software supplier changed BTrieve port from 3351 to 2050
When I do a netstat -ano without and with the software running I see a TCP 2050 and an UDP 2049 added to the list.

I did try to block the 3351 as well as the 2050, but (on the same 10.0.0.46 machine the software continues as if nothing has been blocked.
Next week I'll test it from a client to the dataserver.
Here is my weekend statement in restrict.cfg
Code: Select all
blp,3351,10.0.0.0/24,0000,2359,6
blp,3351,10.0.0.0/24,0000,2359,0
blp,2050,10.0.0.0/24,0000,2359,6
blp,2050,10.0.0.0/24,0000,2359,0

By the way: How do I block UDP 2049?
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: blocking my internal network a bit

Postby Lightning » Sat May 21, 2011 8:05 pm

By the way: How do I block UDP 2049?
The blp function automatically blocks both tcp and udp on the specified port. But for general information, the actual commands given for this entry:
blp,2050,10.0.0.0/24

ends up being these commands when the time interval is active.
ipfwadm -F -a reject -P tcp -S 10.0.0.0/24 2050
ipfwadm -F -a reject -P tcp -D 10.0.0.0/24 2050
ipfwadm -F -a reject -P udp -S 10.0.0.0/24 2050
ipfwadm -F -a reject -P udp -D 10.0.0.0/24 2050
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: blocking my internal network a bit

Postby dilberts_left_nut » Tue May 24, 2011 7:52 pm

Unless I'm missing something ...
If your workstations & server are on the same subnet, then communication will be direct between them, so no amount of blocking on your Freesco server will stop it, as Freesco is not routing any of that traffic.
To do what you want, I think you would need to restrict traffic with a firewall on the server machine, with suitable scripts to adjust the config at given times.
User avatar
dilberts_left_nut
Member
 
Posts: 71
Joined: Thu Sep 02, 2004 8:25 am
Location: Christchurch, NZ

Next

Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 3 guests

cron