Slashdot Mirror
Is Rendezvous Sharing More Than You'd Like?
Gropo asks: "I just got an email from my father who has just recently upgraded from OS 9 to Mac OS X on his PowerMac. He's connected to the 'net via Adelphia Cable and shares his TCP connection with my Mother's iMac via Software Base Station. He got a call from his neighbor (also running Mac OS X) who noticed 'My Father's Computer' show up on his network. My first thought was: 'He's picking up your AirPort signal' - alas the neighbor has no AirPort card. The neighbor *does* however also have an Adelphia cable modem. I asked him to scan for available afp:// servers and sure enough, a foreign machine showed up. What's the easiest way (if at all possible) to enable auto-detection for the local wireless LAN (useful for file and printer sharing within the household) yet remain invisible to other people also behind the cable companies' local DHCP box?"
Firewall? Isn't this the same issue one would have with Windows file-sharing?
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
If you really don't want to use a firewall, you can always just give computer a meaningless name, and password protect all users on it.
In this particular case the problem is appletalk routing. Since you are creating a local subnet using the PowerMac as the router, you probably have appletalk activated on the wrong network interface. It needs to be on the Airport ethernet only and not on the wired connection. It can only be on one at a time so just switch it. - incidentally this won't change your ability to share info with the airported computer. You could also try blocking access to the appletalk port (548 IIRC) on your built in firewall. Alternatively, get a proper hardware firewall and use that to mask your subnet. Ultimately you need to be careful what services you enable on which interface as one of them is visible to the world and one isn't.
Rendezvous is designed to work on a subnet, and likely your dad and his neighbor are on the same subnet, thus the inintended sharing.
Since he has a broadband connection, I'd recommend that you buy him a router, so that all of his Rendezvous packets stay in his house. No muss, no fuss. And routers can be as cheap as $30 -- I just bought a cool NetGear router to replace my LinkSys and it cost about $50. With the router, he can have multiple computers on his network, keep his LAN separate from the WAN, and have some basic security protection above and beyond the built-in firewall in Mac OS X.
Or you can convince him to buy a new AirPort base station that has a built-in router so he can solve his problem as well as allow you to surf the 'Net on your PowerBook while you're over visiting.
To me, it's a short threshold to come up with an excuse to buy sexy new Apple hardware.
Insert simplistic political, ideological, or personal proselytization here.
PS I don't think this has anything to do with Rendezvous.
Agreed. Rendezvous broadcasts must never be routed, but AppleTalk packets can. Maybe this can be set on the base station?
Slashdot looked deep within my soul and assigned
me a number based on the order in which I joined
there once was a power mac
on the net i thought i'd hack
i was stunned to see
it ran bsd
my plans were thus set back
Michael.
sh:
Linux : Mac
Cable modems are notorious for creating security openings. In many cases, you and all the other computers in your neighborhood are bridged onto a single network. So it's the same as if you were on one big LAN.
This issue affects your dad's computer whether or not your mom's computer is connected via it (the in-house network is just an extra wrinkle).
So you need to do a careful job of insulating your dad's computer from the outside network. Start by turning off all unnecessary services that could be carried on the Ethernet adapter. (i.e., make sure these services are not allowed to communicate over the Ethernet adapter. It's fine to let them run over the Airport adapter if your software base station is configured correctly, but you will have to discriminate between the two). OS X does a pretty good job of not loading too many services in the default configuration. But you can fine tune what's going on using OS X's internal firewall. You should also turn off any file or printer sharing on the Ethernet adapter (using the Sharing preference panel). I'm not sure whether you can turn off Rendezvous on one particular adapter, but if you can, that would be a good idea too.
Another way to restrict data from being sent over the Ethernet connection out to your neighbors, would be to install firewall or routing hardware between your Dad's computer and the cable modem. Then you won't really have to worry about reconfiguring your dad's computer at all. Anything that is labeled for "cable modem sharing" or "DSL connection sharing" should work fine for you. However, if you're going to get a connection sharing box, you might as well get one that can provide a connection directly to both your dad's computer and your mom's, so hers doesn't have to go through his to get to the Internet. There are plenty of cable modem routers out there that also include 802.11b support, and any of these should solve all your problems at once (i.e., they will hide your computers from your neighbors, and they will allow both of your computers to connect to the Internet independently via Airport or Ethernet). Apple's Airport base station is particularly nice, but there are other boxes in the $100 range that will work fine.
This is a common problem, and is not specific to Mac OS X. If your father had been running windows, your neighbour would find your fathers windows shares on his Windows or Mac OS X box.
The solution? Firewall.
Read up on ipfw. Its the nice firewall FreeBSD uses and Darwin/OSX has it too.
A few simple rules (default to deny etc) and you will be locked down tight.
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Two guys, neighbors, both running Jaguar, both on the same cable modem subnet.
:-)
I mean, what are the odds? They're so low to be trivial!
(Caveat: I've been a Mac user since 1984, so this slam is just good natured ribbing...)
My father is a blogger.
One specific thing you may want to try with a firewall is blocking packets to 224.0.0.251. I've been using MacSniffer to monitor the traffic on my own home lan to see what I might need to do security-wise and noticed packets going to this address periodically. After some searching, I found that this is probably Rendezvous activity. See this article.
People above have mentioned using a NAT/firewall. You also mentioned that your dad has a airport base station. AFAIK a Base Station is capable of being a NAT/firewall. So I'd just use that. You won't even need new hardware.
I know I'm going to hell, I'm just trying to get good seats.
I don't think he needs some greenhorn pissant telling him what platform best suits his needs. SOMEONE SET UP MY DAD THE RAW SOCKETS
Try again, dingleberry.
I hate Grammar Nazi's