openbox9
join:2004-01-26
Alexandria, VA
 ·AT&T Southeast
| reply to Airplane777
Re: Monowall WISP client's data gets past my captive portal ?
said by Airplane777  :So it looks like it won't let pinging traffic through. What port does pinging traffic use? I'm pretty sure it's not port 80. pinging is part of the ICMP protocol. It does not use TCP/UDP ports.said by Airplane777 :So that terrible data from my neighbor has figured some way around the captive portal. I don't have any experience with m0n0wall, so I can't be much more help. Do you have a BT client installed to test without authenticating to your portal? |
|
Mike_27
Premium
join:2004-05-15
Gardiner, MT
1 edit | reply to Airplane777
said by Airplane777 :So that terrible data from my neighbor has figured some way around the captive portal. I think you have anwsered this yourself in an earlier post.
said by Airplane777 :These neighbor is just associated to my AP. He did not log in via the captive portal. Kick him so he has to authenticate via your captive portal.
Mike |
|
openbox9
join:2004-01-26
Alexandria, VA
·AT&T Southeast
| reply to Airplane777
Airplane, I reread this thread and I think I've totally misread this whole thing. Are the connections on your WISP interface (the ones that haven't authenticated to your portal) actually getting out on your WAN interface? If the answer is no, then you don't have a problem and your m0nowall captive portal is working the way it is supposed to.
Man, I really shouldn't post so late at night. |
|
Airplane777
join:2004-06-20 | reply to openbox9
Hi openbo9:
I don't even know where to get BT. I never had a reason to use it before. |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX | Google for BitTorrent or just go to »www.bittorrent.com |
|
Airplane777
join:2004-06-20
| reply to Airplane777
Here is another sample.
You can see the malware is incrementing the source port numbers. |
|
Airplane777
join:2004-06-20
2 edits | reply to openbox9
said by openbox9 : Are the connections on your WISP interface (the ones that haven't authenticated to your portal) actually getting out on your WAN interface? If the answer is no, then you don't have a problem and your m0nowall captive portal is working the way it is supposed to. Man, I really shouldn't post so late at night. I'm not sure. I don't think so.
I go to the Status:Traffic graph, and once in a while I'll see a little quick blip go by about every 12 seconds. It peaks to about 5 kbs. The in and out is basically the same height. I'll post the picture above. It's not from my neighbor cause if I disconnect the ethernet cable from the WISP interface, I still get the same data going by.
It's probably form my desktop computer on the LAN interface...even though I'm not trying to up or download any data.
And if I go to the WISP interface on the graph, I don't see any data flowing at all. It's completely blank.
So all that data that is trying to get into my WISP interface (as shown by the log), is not showing up on the traffic graph. |
|
Airplane777
join:2004-06-20
3 edits | reply to robbin
When I download it, do I just go to some other location on the Bit Torrent web site and try to download a music file? I'm not sure that will help me to learn how to block or mitigate it.
I have a suspicion Monowall can't stop or mitigate it. I'll probably have to use deep packet inspection like with Net Enforcer. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
·TekSavvy Solutions..
| reply to robbin
Airplane777 kindly sent me his config file and the rules are set to allow those traffic ...
<filter>
<rule>
<type>block</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
<source><network>opt1</network></source>
<destination><any/><port>5000</port></destination>
<descr>Block Outgoing TCP data on WISP Interface, coming from WISP subnet using any port, TO any IP using UPnP port 5000.</descr>
</rule>
<!... and similar rules for
UPnP2 port 1900.
http-rp-epmap port 593.
NetBios ports 135-139
SMB port 445
port 1433 or 1434 ...>
<rule>
<type>pass</type><interface>opt1</interface>
<source><network>opt1</network></source>
<destination><network>lan</network><not/></destination>
<descr>Pass any Outgoing data on WISP Interface, coming from WISP subnet using any port, TO any IP (EXCEPT LAN) using any port.</descr>
</rule>
</filter> |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX
1 edit | reply to Airplane777
I'm not sure it's appropriate for this forum to be giving instructions on the use of BitTorrent. Just google it and look for information and FAQs. There is a massive amount of info out there giving help for using it. 
[edit] I can't imagine how you can consider learning how to block or mitigate it if you have never used it or understand how it works. |
|
Airplane777
join:2004-06-20 | reply to lutful
I don't have a rule to block all that data cause I don't know what the rule would be, due to all the different IP and port addresses that this malware is using. |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX | BitTorrent is peer-to-peer (P2P). It is NOT malware. |
|
Airplane777
join:2004-06-20
2 edits | reply to lutful
Lutful:
What you posted here...thats not mine data is it?
I'll relook to see if I can find it in my config file. Although I still don't know of a firewall rule to stop all this data on Monowall.
Reason being, I understand that I could put in place firewall rules for BT, Kazza, and the other p2p applications. But I understand they will migrate to port 80...and I can't stop data flowng in port 80.
I do have a catch-all that encompases p2p on my traffic shaper. Since I can't stop the p2p, I gave it a weight of 1. |
|
Airplane777
join:2004-06-20
2 edits | reply to robbin
I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also...lol.
Thanks for those links.
So you think all that data trying to get into my WISP interface is p2p?
If I was to take the captive portal off, then that data would flow out my WAN interface. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
·TekSavvy Solutions..
| reply to Airplane777
You can allow a dozen ports to go through with higher priority and doom the rest to very low bit rates.
Although m0n0wall is considered by many to be one of the easiest firewalls, I think a few WISP and HotSpot specific config.xml files will be a good addition. I will ask some m0n0wall gurus. |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX
| reply to Airplane777
said by Airplane777 :I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also... You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load. Here is a link to a linux distribution from Duke University as an example. The important point is that there are legitimate uses -- just as legitimate as VOIP or email or surfing the web! |
|
Airplane777
join:2004-06-20
4 edits | reply to lutful
BTW, I still love Monowall from all that I have learned from you all.
Monowall is still my first choice for router/firewall/traffic shaper.
I admit I still still have a lot to learn about fine tuning Monowall to my needs. I guess I'm at an impass here trying to figure what to do with that data the is trying to get into my WISP interface.
I won't be using captive portal or DHCP when I actually start selling to WISP customers. I'll assign static IP addresses, so I'll know who has what IP address.
From what I can see, I'm leaning towards just mitigating any p2p applications...as I'm starting to think that I don't want to lose customers who want to do p2p. I just want to give them the lowest traffic shaping weight possible.
I already have a "catch all" in my Monowall now, that I'm hoping is catching any p2p. I'm using "catch all" because I realize that p2p changes Ip and port addresses all the time. My catch-all should get them all. Gee...if I see that works real good for me, then I shouldn't need NetEnforcer at all...maybe?
So my Monowall passes p2p...I just am trying to give it a veeeery low weight.
Gee...with all that in mind...maybe I'm too overly worried about anyone on my network that is using p2p...like this neighbor.
So I should get BT and do some testing, to be sure that the low traffic shaping weight of 1, stops the bad effects of p2p on my high priority applications. |
|
Airplane777
join:2004-06-20
| reply to robbin
said by robbin :You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load. I did have the idea that p2p is pretty bad...at least for WISPs.
If I can see that I can allow p2p along with my other traffic, I'll feel better about it. But I'll probably just have to give is a veeeery low traffic weight, so it doesn't hog up the BW from more desirable applications. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON | Often all unknown traffic is lumped as P2P including some ports used by emergency health monitors.  |
|
Airplane777
join:2004-06-20
2 edits | reply to Airplane777
Hi all:
The above screen shot is from my own laptop computer. Notice that there is also a lot of incrimenting of port numbers attached to the IP address that DHCP assigned to my laptop.
I noticed there are two destination IP addresses. First my compuyter tried to go to 66.210.246.140 port 80. It turns out that this is the web URL redirection web site that I have set up in Monowall. Why would my computer try to go to that web site by incrimenting a whole bunch of port numbers?
Then notice that there is another IP address of 69.95.90.67 port 80. There are two of those destination addresses. And that is correct. That is the web address I went to after the URL redirection web site.
So why does my computer have to incriment port numbers when it is trying to go to web sites. Maybe that is normal? If it is normal, I'm not sure why.
I think I'm operating a clean computer...but that screen makes me wonder whats going on. This might make me look like I don't know whats going on...lol. But I wanted to tell you guys anyway. I wasn't going to hold this info back...even if it might make me look like I don't know whats going on...lol.
I thought I'd show that screen to you guys, since it makes my computer act similiar to my neighbors, whose computer also incrimented port numbers. And I'm not doing any p2p that I know of. I even ran AdAWare and Spybot to check things out. My neighbors computers seem to be going to Asia web sites. I was going to a web site in the USA.
I hope this might help put more light on whats going on here with this port incrimenting. |
|
