NetBEUI as main protocol

Jim Morris jim at
Tue Dec 10 15:24:01 GMT 2002

On Tue, 2002-12-10 at 08:42, Jason Hihn wrote:

> Up until the other day we didn't have an internet-visible, Unix-based
> host behind the router. We do now, so that is a concern of mine more
> than ever.

It sounds to me like you are relying on the ISP's router to protect you
from the Internet. And that you are just 'hiding' your PC's by using
NETBEUI. If so, I think this is where you are mistaken (in trusting the
ISP!).  You should put your own firewall behind the router, between it
and your internal network.  You can block all incoming traffic on all
ports if you so choose. You can elect not to forward any traffic to the
internal LAN. Or you can open up specific ports if you need to.  If you
want something visible to the internet, put it outside the firewall, in
a DMZ if need be.

> True, if the kiddy is 'elite' enough he might try a NetBEUI exploit. If that
> is the case, then you're right, we're no better off. But the fact that
> Microsoft is deprecating NetBEUI makes my assumption that he will not try
> NetBEUI even better.

What about the fact that deprecation of NETBEUI means that as you
upgrade your own Windows PC's, they will not be able to use the LAN?
;-)  I assume you are using Windows, otherwise you would not even be
concerned with Samba and NETBIOS specific networking....  On top of
this, I can vouch for bugs that our company has determined to be in
certain flavors of Windows when using NETBEUI as the transport, which do
not occur if you use IPX/SPX or TCP/IP as the transport. I cannot recall
the versions of Windows involved now (maybe 95/98), but do recall that
we had some locking and file sharing issues with NETBEUI that do not
occur with IPX/SPX or TCP/IP....  the fact that Microsoft is not
maintaining the transport means no bugs will be fixed....

> While I feel competent enough to make a solid firewall, our router to the
> internet is controlled by our ISP, and that is one trust relationship that
> would be sloppy of me to trust. Unfortunately, this box needs to be visible
> to the internet and the NetBEUI only server. Looks like I'll have to proxy
> it via a windows PC running both NetBEUI and TCP/IP. To quote Home Simpson:
> "For shame!" :-)

Like I said - if you have your own firewall, then you are not trusting
the ISP.  Use a PC that has both TCP/IP and NETBEUI loaded to move files
from the NETBEUI only server to the Internet server, if you have to deal
with NETBEUI....

I hate to say it, but it really comes down to the fact that you are
trying to hide behind a protocol, instead of doing a proper firewall for
your LAN.  No offense intended....
| Jim Morris  |  Email: Jim at
|             |    AIM: JFM2001

More information about the samba-technical mailing list