Slashdot Mirror
Is Rendezvous Sharing More Than You'd Like?
Gropo asks: "I just got an email from my father who has just recently upgraded from OS 9 to Mac OS X on his PowerMac. He's connected to the 'net via Adelphia Cable and shares his TCP connection with my Mother's iMac via Software Base Station. He got a call from his neighbor (also running Mac OS X) who noticed 'My Father's Computer' show up on his network. My first thought was: 'He's picking up your AirPort signal' - alas the neighbor has no AirPort card. The neighbor *does* however also have an Adelphia cable modem. I asked him to scan for available afp:// servers and sure enough, a foreign machine showed up. What's the easiest way (if at all possible) to enable auto-detection for the local wireless LAN (useful for file and printer sharing within the household) yet remain invisible to other people also behind the cable companies' local DHCP box?"
Firewall? Isn't this the same issue one would have with Windows file-sharing?
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
Kudos to the honest and helpful neighbor, but I have to assume they didn't figure out "My Father's Computer" was your father's computer without some additionnal snooping. How much did they read? They did the right thing, of course assuming they read no more than necessary.
Cable modems do have privacy issues, don't they? Mine is on the other side of an SMC firewall which (I hope I will not be instantly disabused!) is protection....
If you really don't want to use a firewall, you can always just give computer a meaningless name, and password protect all users on it.
In this particular case the problem is appletalk routing. Since you are creating a local subnet using the PowerMac as the router, you probably have appletalk activated on the wrong network interface. It needs to be on the Airport ethernet only and not on the wired connection. It can only be on one at a time so just switch it. - incidentally this won't change your ability to share info with the airported computer. You could also try blocking access to the appletalk port (548 IIRC) on your built in firewall. Alternatively, get a proper hardware firewall and use that to mask your subnet. Ultimately you need to be careful what services you enable on which interface as one of them is visible to the world and one isn't.
PS I don't think this has anything to do with Rendezvous.
Rendezvous is designed to work on a subnet, and likely your dad and his neighbor are on the same subnet, thus the inintended sharing.
Since he has a broadband connection, I'd recommend that you buy him a router, so that all of his Rendezvous packets stay in his house. No muss, no fuss. And routers can be as cheap as $30 -- I just bought a cool NetGear router to replace my LinkSys and it cost about $50. With the router, he can have multiple computers on his network, keep his LAN separate from the WAN, and have some basic security protection above and beyond the built-in firewall in Mac OS X.
Or you can convince him to buy a new AirPort base station that has a built-in router so he can solve his problem as well as allow you to surf the 'Net on your PowerBook while you're over visiting.
To me, it's a short threshold to come up with an excuse to buy sexy new Apple hardware.
Insert simplistic political, ideological, or personal proselytization here.
I suppose Rendezvous probably finds other Rendezvous enabled machines on the local subnet. Looking in System Preferences I can't see any way of limiting that by device (eg. ethernet but not modem) nor limiting it to specific IP address ranges.
Also, the firewall configuration pane seems to be completely useless. If I'm reading correctly it seems that when I start the firewall it denies connections to any port not in the list displayed in the config pane. The list includes all the services I'm running. So if any kind of file sharing or remote access is enabled the firewall allows access to it from anywhere. The only way to prevent access is to shutdown the service. I can't make file sharing available locally without it being available globally.
Fortunately there are other options for firewall configuration. ipfw is installed by default. Might be worth reading the man page.
Now wash your hands.
there once was a power mac
on the net i thought i'd hack
i was stunned to see
it ran bsd
my plans were thus set back
Michael.
sh:
Linux : Mac
Your father isn't NAT'd by his Cable modem at all? I have DSL into an Airport Base Station and the NATing inherent to that is enough to keep my neighbors at bay. I would think there had to be some measure of this capability in the modem. If not, can he not just finagle the settings in the Sharing control panel to limit access? It shouldn't affect his Software Base Station at all.
blarg.
Cable modems are notorious for creating security openings. In many cases, you and all the other computers in your neighborhood are bridged onto a single network. So it's the same as if you were on one big LAN.
This issue affects your dad's computer whether or not your mom's computer is connected via it (the in-house network is just an extra wrinkle).
So you need to do a careful job of insulating your dad's computer from the outside network. Start by turning off all unnecessary services that could be carried on the Ethernet adapter. (i.e., make sure these services are not allowed to communicate over the Ethernet adapter. It's fine to let them run over the Airport adapter if your software base station is configured correctly, but you will have to discriminate between the two). OS X does a pretty good job of not loading too many services in the default configuration. But you can fine tune what's going on using OS X's internal firewall. You should also turn off any file or printer sharing on the Ethernet adapter (using the Sharing preference panel). I'm not sure whether you can turn off Rendezvous on one particular adapter, but if you can, that would be a good idea too.
Another way to restrict data from being sent over the Ethernet connection out to your neighbors, would be to install firewall or routing hardware between your Dad's computer and the cable modem. Then you won't really have to worry about reconfiguring your dad's computer at all. Anything that is labeled for "cable modem sharing" or "DSL connection sharing" should work fine for you. However, if you're going to get a connection sharing box, you might as well get one that can provide a connection directly to both your dad's computer and your mom's, so hers doesn't have to go through his to get to the Internet. There are plenty of cable modem routers out there that also include 802.11b support, and any of these should solve all your problems at once (i.e., they will hide your computers from your neighbors, and they will allow both of your computers to connect to the Internet independently via Airport or Ethernet). Apple's Airport base station is particularly nice, but there are other boxes in the $100 range that will work fine.
When I think of dirty old men, I think of Ike Thomas and when I think about Ike I get a hard-on that won't quit.
."
."
."
Sixty years ago, I worked in what was once my Grandfather's Greenhouses. Gramps had died a year earlier and Grandma, now in her seventies had been forced to sell to the competition. I got a job with the new owners and mostly worked the range by myself. That summer, they hired a man to help me get the benches ready for the fall planting.
Ike always looked like he was three days from a shave and his whiskers were dirty white, shaded by the brim of his battered felt fedora.
He did not chew tobacco but the corners of his mouth turned down in a way that, at any moment, I expected a trickle of thin, brown juice to creep down his chin. His bushy, brown eyebrows shaded pale, gray eyes.
The old-timer extended his hand, lifted his leg like a dog about to mark a bush and let go the loudest fart I ever heard. The old fellow then winked at me, "Ike Thomas is the name and playing pecker's my game."
I thought he said, "Checkers." I was nineteen, green as grass. I said, "I was never much good at that game."
"Now me," said Ike, "I just love jumping men . .
"I'll bet you do."
". . . and grabbing on to their peckers," said Ike.
"I though we were talking about . .
"You like jumping old men's peckers?"
I shook my head.
"I reckon we'll have to remedy that." Ike lifted his right leg and let go another tremendous fart. "He said, "We best be getting to work."
That summer of 1941 was a more innocent time. I learned most of the sex I knew from those little eight pager cartoon booklets of comic-page characters going at it. Young men read them in the privacy of an outside john, played with themselves, by themselves and didn't brag about it. Sometimes, we got off with a trusted friend and helped each other out.
Under the greenhouse glass, the temperature some times climbed over the hundred degree mark. I had worked stripped to the waist since April and was as brown as a berry. On only his second day on the job and in the middle of August, Ike wore old fashioned overalls. Those and socks in his high-top work shoes was every stitch he wore. When he bent forward, the bib front billowed out and I could see the white curly hairs on his chest and belly.
"Me? I just love to eat pussy!" Ike licked his lips from corner to corner then sticking his tongue out far enough that the tip could touch the end of his nose. He said, A man's not a man till he knows first hand, the flavor of a lady's pussy."
"People do that?"
He winked. "Of course the taste of a hard cock ain't to be sneezed at neither. Now you answer me, yes or no. Does a man's cock taste salty or not?"
"I never . .
"Well, old Ike's willing to let you find out."
"No way."
"Just teasing," said Ike. "But don't give me no sass or I'll show you my ass." He winked. "Might show it to you anyway, if you was to ask."
"Why would I do that?"
"Curiosity, maybe. I'm guessing you never had a good piece of man ass."
"I'm no queer."
"Now don't be getting judgmental. Enjoying what's at hand ain't being queer. It's taking pleasure where you find it with anybody willing." Ike slipped a hand into the side slit of his overalls and I could tell he was fondling and straightening out his cock. "Now I admit I got me a hole that satisfied a few guys."
I swallowed, hard.
Ike winked. "Care to be asshole buddies?"
***
We worked steadily until noon. Ike drew a worn pocket watch from the bib pocket of his loose overalls and croaked, "Bean time. But first its time to reel out our limber hoses and make with the golden arches before lunch."
I followed Ike to the end of the greenhouse where he stopped at the outside wall of the potting shed. He opened his fly, fished inside, and finger-hooked a soft white penis with a pouting for
1) Firewall
2) Password protection shares
or
3) Switch to DSL. It's not shared like cable.
Just apply the patch. ;-)
Hehe - classic cable modems that show all the machines on a loop as part of a subnet.
Recent versions of MacOS added rendezvous support to web servers, so you can automatically detect those web servers using Safari. As a result I came across a co-worker's web site and saw some rather racy web sites that he was working on in his spare time.
So yes. Rendezvous just might be sharing more than you'd like!
This is a common problem, and is not specific to Mac OS X. If your father had been running windows, your neighbour would find your fathers windows shares on his Windows or Mac OS X box.
The solution? Firewall.
Read up on ipfw. Its the nice firewall FreeBSD uses and Darwin/OSX has it too.
A few simple rules (default to deny etc) and you will be locked down tight.
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Clearly you're seeing the effects of the insecure Mac OS X operating system. What do you expect from a company who knows so little about Unix they don't even know to put double quotes around filenames that might have spaces, thus wiping out your hard drive? Remember that one?
Get that Mac up on eBay where it belongs. Get dad a secure Windows XP machine. He's an adult now, he doesn't need the Mac. You won't see daddy's files on the local LAN, that's for sure, and you might even be able to buy some useful software for a well-supported platform, not some toy from Steve Job's imagination.
Two guys, neighbors, both running Jaguar, both on the same cable modem subnet.
:-)
I mean, what are the odds? They're so low to be trivial!
(Caveat: I've been a Mac user since 1984, so this slam is just good natured ribbing...)
My father is a blogger.
I think we really need to educate everyone that a firewall is always needed between the home computer and broadband connections, even if there is only one computer connected. The ISP are not providing the firewall with the modems because they want to sell that service for more money, if they want to allow it at all.
Of course all the other rules apply. Turn off all services that are not needed. Use good passwords on the services that are. I am afraid that Apple is going down the road of reduced security and feature bloat.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I would guess that IP over powerlines is going to have the same issue. namely unless every transformer has a packet switch then everyone in the neighborhood is going to be basically on a shared hub and hence share bandwidth and share their underwear too.
Some drink at the fountain of knowledge. Others just gargle.
One specific thing you may want to try with a firewall is blocking packets to 224.0.0.251. I've been using MacSniffer to monitor the traffic on my own home lan to see what I might need to do security-wise and noticed packets going to this address periodically. After some searching, I found that this is probably Rendezvous activity. See this article.
Start by turning off all unnecessary services that could be carried on the Ethernet adapter......
Are you fucking serious? This is a Mac user you are talking to here. Ever read a Mac "systems admin" list? Ask them to "turn off a service" and they will turn off the TV.
I'm a network specialist for a cable company, the problem is probably that both machines ended up on the same subnet and since there's no router (i'm assuming) it goes out and hits the ubr and just like it would on a lan and shares with your neighbor.
People above have mentioned using a NAT/firewall. You also mentioned that your dad has a airport base station. AFAIK a Base Station is capable of being a NAT/firewall. So I'd just use that. You won't even need new hardware.
I know I'm going to hell, I'm just trying to get good seats.
I had the same issues under 9.x.x until I got an ABS. We had 5 or 6 macs on our subnet. Don't get too paranoid about this - sure - secure your most vital files etc...then pool resources. It's like super fast P2P.
on the topic of open macs hwoever, if you happen to be in central london someday with some spare time, just sit down at bar italia on frith street soho, pop on yr wifi and see how many drop boxes you can visit. i found at least 5 open wifi networks and each one of those exposed lots of macs. didn't find any ichat users tho... but plenty of rendesvous (or liberty connector as i hear you merkins prefer nowadays) shared web sites (99% default index pages).
oh and if you really wanna get into closed wifi networks remeber there is always KisMAC.
enjoy
I used to have a better sig than this, but I got tired of it
I am a homosexual. I bought an Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.
with much gayness,
Father Randy "Pudge" O'Day, S.J.
Thanks for your letter. Being Catholic myself, I know exactly what you're talking about! It has always been our plan here at Apple Computer Inc to revolutionize personal computing with our high-quality and highly gay products.
I'm happy to answer your letter by letting you know that YES we will be releasing an entire hLife ("homo-life") software line. You'll be able to recognize it in stores by the small stylized logo depicting a large cock entering a tight anus with an Apple logo on it. ("Suddenly it all comes together" indeed!).
Anyway, I hope you and other members of our community will join us on our mission, and purchase the exciting new hLife boxed set. Only the boxed set comes with translucent cock rings!
Sincerely,
Harry Rodman
Vice-president
Homosexual Liaison Services
Apple Computer, Inc.
Or you can disable Rendezvous via the Applications/Utilities/Directory Access application. I suppose, if you don't need Rendezvous, you should probably turn it off. And if the problem is AppleTalk, like someone said, you can only use AppleTalk on one interface at a time. Though, I'd disable everything install a wireless router, and connect to computers via IP only.
"Liberty Connector"?
:-)
That's the funniest freakin' thing I've heard so far this week.
-/-
Mikey-San
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
You could check if the problem is Rendezvous by sending your father DockBrowser (perhaps by compiling it up for him first.) This should only show the machines available via Rendezvous.
You could check if it was Appletalk by loading up chooser in Classic mode, perhaps with the Who's There rdev. It should only show machines available via Appletalk
You could disable appletalk in the ethernet interface connnected to the cable modem (Its in the Network pane in the System Preferences app.) and leave it on in the Airport interface.
mwahahahahahahahahahaaaaaargh ! g agaaarghl
-gasp-
secure
-grnt-
windows
-sngggggnghh-
XP
-kspl-
mwohaaaaahahahahahahahaaaaaaaaaagaga
Yeah. That was my first thought.
Why are people STILL using DSL and Cable modems without a Firewall??? They are there to protect you not just from those malicious people out there, but your own lack of understanding of computer security. This isn't meant to be a slam on anyone.. just a realistic fact that most people don't understand what's involved in network security.
-Alex
Cable ISP's sometimes build their networks like LAN's. This aparently fools some macintoshes into thinking that it is, in fact, a LAN. I used to be able to see some macintoshes of my neighbourhood, until they fixed the problem.
Hello! I'm a disaster waiting to happen!
You found evidence that your co-worker is building a pornographic web site on company computers, on company time? A little blackmail ought to buy you a new Mac or two...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I have set up half a dozen accounts with no password. Just don't enter a password. It does warn you, but other than that...
Rendezvous uses Multicast DNS (mDNS) to find and announce services. Multicast DNS uses a link-local multicast address, which means that routers should never forward mDNS packets from one link to another.
Simon
So, with Rendezvous on, you could potentially have a TON of iTunes libraries at your disposal, right?
At first it was only one person's computer, but as other releases of OS X came out (1.x, etc.) there were more and more people visible on the network.
That said, this was well before Rendezvous entered the picture, so it's probable that it is AppleTalk related.
But, I am pretty sure that if you have your users password protected, people can't access info from your computer - unless it's in your public folder.
Maybe a Firewall would help?
see these entries in my /var/log/httpd/access_log
Here's a web page I use to handle these exploit attempts
Or you can disable Rendezvous
Security through obscurity does not work. Rendezvous is not providing the open file share, it's just advertising it. If you disable Rendezvous, the file share is still open and active - the only difference is, anyone who wants to mount it will need to know its IP address.
Lost: Sig, white with black letters. No collar. Reward if found!
heya Gropo's Dad...
have you figured the mail problem yet? I can see all the options necessary to change my outgoing and incoming mail servers...there doesn't seem to be any thing preventing me from changing them to my hearts content...
I have had experience with ISPs that prevent me from sending mail through them if I am not currently connected through them...though reading previous posts it seems that you--or your son--would have already considered that...
And another point: they can find it with a simple portscan, so it's not even particularly obscure.
Simply disable Appletalk on the WAN interface, Built-In Ethernet. As long as Robin Hood (think about that one) doesn't use that port for any local AppleTalking, he shouldn't have a problem.