Media-One Express, IP Masquerading

[mod at std.com (Michael O'Donnell)]

 [ Sorry about the following jumble - I'm responding to various
   points in various messages here, not necessarily in any order... ]

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

The LanCity modems used with m1x are indeed programmed to recognize
exactly one specific MAC address at a time, but m1x can reportedly
diddle your modem all kinds of ways from headquarters, including
firmware changes and various tunable parameters like the MAC addrs.
I've read postings in the express.* newsgroups describing how folks
have installed new Enet adapters and then phoned m1x to notify them
of their new MAC address; the changeover process has usually gone
very quickly (like 5 minutes) once they finally got through after
being on Hold...  And the LanCity modems are supposed to work with
just about any 10baseT Enet adapter you can wire it to.

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

>>Since a Mini HUB is $59 at Micro Center you might as well use one.
>>
>>There is another product that runs on Windows95 and NT that does
>>filtering and masqurading but I can't remember it's name (Wingate?).
>>It's made by a New Zealand company and unlike Proxy server it doe>
>
>It is called wingate (http://www.wingate.net --- NOT .com).

See also http://www.nevod.com

Here's an excerpt from a posting in one of the express.*
groups from one of the guys employed by that outfit - they
sell Network Address Translators called NAT1000 and NAT32 (he
may even be one of the designers, but I haven't been paying
attention since I don't care too much about Windows or NT) -

 From: Eduard Guzovsky <ed at nevod.com>

 Here is a couple of comments from a NAT1000 biased person :-)

 Wingate is not a NAT nor an IP masquerading (in Barry's more
 precise terminology) solution.  It is a proxy server.  To use it
 you will have to configure all TCP/IP applications running on
 LAN hosts to talk to a proxy server.  Some applications (like
 "ping") do not let you do it and will not work with a proxy
 server.  This is not the case with NAT1000 or Linux: LAN hosts
 do not need any extra configuration beyond a standard TCP/IP
 setup (ip address, subnet mask, default gateway, dns address).

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

>> Given my understanding of what I've read in the m1x newsgroups,
>> and reading between the lines of Jerry's message, I conclude that
>> his configuration employs a hub between the modem and the machine
>No. I run thin-wire ethernbet. I prefer thin-wire for small LANs. I
>just upgraded my Win95 system to a PentiumII. I also put a new Ethernet
>card in it. Called Mediaone, and they configured the new Mac address
>immediately including changing DNS to reflect my new IP address.

I'm still learning about all this comms stuff, so I'm easily confused,
and Jerry has definitely confused me.  Please help check my premises:

 - 10baseT is A.K.A. Unshielded Twisted Pair and uses RJ45 connectors.
 - The LanCity modems only speak 10baseT.
 - 10baseT nets typically require a hub.
  (Exception: two 10baseT adapters can be connected directly, without
   using a hub, by means of a cable with Tx/Rx wires suitably crossed.)
 - It is not possible to config your 10baseT net as a daisy-chain i.e.
   it isn't possible to connect your LanCity modem such that it can
   talk directly to more than one Enet adapter without using a hub.
 - 10base2 is A.K.A. thin-wire (coax) and uses BNC connectors.

You said that you suffered the problem of having your LanCity modem
see the wrong Enet adapter after powerup, implying that your modem
could see more than one adapter.  So, given my premises above,
that implies you're using a hub.  And you said you run thin-wire
Enet, but how do you go from 10baseT to 10base2 without SOME kind
of translator, like a hub or a gateway machine?

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

>I have a friend whose access was shut off by M1X because of a security
>problem.  He had a system (I forget which O/S, I think it was actually a
>Microsoft box) which ran a piece of software with a security hole in it.
>A hacker used it to hide source addresses and wreak havoc in such a way
>that M1X tech support got dragged into it.  My friend hadn't logged the
>activity, so he got blamed for the hackery and had no way to prove it
>wasn't him.  Finally after a couple of days he persuaded M1X to turn
>his service back on.

I'll bet it was his SOCKS service that was hijacked, a favorite of
the badguys; leaving SOCKS accessible via the external Enet adapter
is a very bad idea.  The badguys routinely scan for vulnerable
machines by sweeping numerically through a range of IP addrs, trying
doorknobs by attempting to connect to various ports, typically 1080,
the well-known SOCKS port.  If they establish the connection your
machine will likely be enslaved as a spamming platform, or used
as an (essentially) untraceable relay point for various other
rude behaviors.  Some m1x staffers now perform those same sweeps
through the m1x IP addr range on an informal basis, hoping to find
such vulnerabilities before the badguys do.

Regards,
 ---------------------------------
 Michael O'Donnell     mod at std.com
 ---------------------------------