Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Networking (Apple) Businesses OS X Operating Systems Security Apple Hardware

Is Rendezvous Sharing More Than You'd Like? 93

Posted by Cliff from the loose-server-ports-sink-LANs dept.
Gropo asks: "I just got an email from my father who has just recently upgraded from OS 9 to Mac OS X on his PowerMac. He's connected to the 'net via Adelphia Cable and shares his TCP connection with my Mother's iMac via Software Base Station. He got a call from his neighbor (also running Mac OS X) who noticed 'My Father's Computer' show up on his network. My first thought was: 'He's picking up your AirPort signal' - alas the neighbor has no AirPort card. The neighbor *does* however also have an Adelphia cable modem. I asked him to scan for available afp:// servers and sure enough, a foreign machine showed up. What's the easiest way (if at all possible) to enable auto-detection for the local wireless LAN (useful for file and printer sharing within the household) yet remain invisible to other people also behind the cable companies' local DHCP box?"
This discussion has been archived. No new comments can be posted.

Is Rendezvous Sharing More Than You'd Like? More

Is Rendezvous Sharing More Than You'd Like?

Comments Filter:

  • Erm. (Score:5, Insightful)

    by Atzanteol ( 99067 ) on Monday April 14, 2003 @06:14PM (#5732010) Homepage
    Firewall? Isn't this the same issue one would have with Windows file-sharing?
    • That's the best answer - another one is to use the built in firewalling of the internet connected OS X box. Look here. [sympatico.ca] In the long run though I thought it was easier to spend like 100 bucks and get a cheap wireless Router / Firewall setup.
    • Yeah. That was my first thought.

      Why are people STILL using DSL and Cable modems without a Firewall??? They are there to protect you not just from those malicious people out there, but your own lack of understanding of computer security. This isn't meant to be a slam on anyone.. just a realistic fact that most people don't understand what's involved in network security.

      -Alex
  • Kudos to the honest and helpful neighbor, but I have to assume they didn't figure out "My Father's Computer" was your father's computer without some additionnal snooping. How much did they read? They did the right thing, of course assuming they read no more than necessary.

    Cable modems do have privacy issues, don't they? Mine is on the other side of an SMC firewall which (I hope I will not be instantly disabused!) is protection....

  • Passwords (Score:4, Informative)

    by andcarne ( 657052 ) <andcarne@mac.com> on Monday April 14, 2003 @06:17PM (#5732030)
    If you really don't want to use a firewall, you can always just give computer a meaningless name, and password protect all users on it.

    • Re:Passwords (Score:2, Insightful)

      by Anonymous Coward
      I don't understand why someone wouldn't install a NAT box (technically not a firewall). They are easy to install and cost almost nothing. Why take the risk?

    • Re:Passwords (Score:3, Informative)

      by Llywelyn ( 531070 )
      You have no choice under MacOS X but to password protect all users and all connection protocols are turned off by default. You would have to specifically enable sharing and remote login and even then the password is still there.
      • Of course, I am assuming that they have sharing turned on so it can bu used between the computers. Also, you can have guest access set up, which I assume he was since the neighbour was able to get on and find something telling who the computer belonged to.
      • With OSX, each user also has a public "drop box" that is visible and world writeable via Rendezvous. The intent is to have someplace where other users can give you files to look at. Leaving this open to the internet at large is just asking for someone to come along and fill your hard drive with junk.

        Two solutions: (1) remove the public drop box; (2) limit the total number of bytes that folder can contain. The former is quite easy. I'm not too sure how to acheive the latter.

        And, of course, just put
        • "With OSX, each user also has a public "drop box" that is visible and world writeable via Rendezvous. "

          True, IFF you actually enable it. That being said, simply being *writeable* isn't a problem, you can clean it out without *any* difficulty.

          If you need more a more secure setup, these can also be enabled with the click of a button--all up to how you want to handle it. I also *think* you could also chmod it to prevent anyone from writing to it, but that's another matter.
      • I have set up half a dozen accounts with no password. Just don't enter a password. It does warn you, but other than that...
    • This doesn't address the issue of all Rendezvous sharing. Sure, it handles actual file sharing, but not printer sharing.

      Is there a way to PW protect the printer share, so that it shows up, but you're prompted for a PW (save to keychain if you like)?

      -Alex

  • Services (Score:5, Informative)

    by rbbs ( 665028 ) <{robbieNOSPAMhughes} {at} {ntlworld.com}> on Monday April 14, 2003 @06:22PM (#5732075)
    In this particular case the problem is appletalk routing. Since you are creating a local subnet using the PowerMac as the router, you probably have appletalk activated on the wrong network interface. It needs to be on the Airport ethernet only and not on the wired connection. It can only be on one at a time so just switch it. - incidentally this won't change your ability to share info with the airported computer. You could also try blocking access to the appletalk port (548 IIRC) on your built in firewall. Alternatively, get a proper hardware firewall and use that to mask your subnet. Ultimately you need to be careful what services you enable on which interface as one of them is visible to the world and one isn't.

    • Not Rendezvous (Score:2, Interesting)

      by rbbs ( 665028 )
      PS I don't think this has anything to do with Rendezvous.

      • Re:Not Rendezvous (Score:4, Informative)

        by pldms ( 136522 ) on Monday April 14, 2003 @06:32PM (#5732154)
        PS I don't think this has anything to do with Rendezvous.

        Agreed. Rendezvous broadcasts must never be routed, but AppleTalk packets can. Maybe this can be set on the base station?
        • Nuts - misread the set up. Actually I think this may be possible with rendezvous. The packets wouldn't need to be routed to the neighbours.

          With cable modems, IIRC, you're on the same subnet as your neighbours.

          Does that sound plausible?
      • Why, then, after 3 years of using this very Cable service has a strange Mac never shown up under the Chooser?
        • maybe it never had appletalk switched on to access the ethernet port before?
        • What we have here is a practical demonstration of precisely why "Security Through Obscurity" isn't reliable.

          AppleTalk over IP doesn't support auto-discovery the way traditional AppleTalk does. In other words, the file share has always been there, and you could have mounted it via Chooser at any time, if you had known its IP address. If you doubt it, reboot both Macs into Mac OS 9 and give it a try.

          What Rendezvous does is remove the need to know the IP address. It's not directly related to file sharing

    • Re:Services (Score:4, Informative)

      by Anonymous Coward on Monday April 14, 2003 @07:34PM (#5732578)
      Afaik, port 548 is what AppleShare uses, not AppleTalk. AppleShare can run over TCP/IP or AppleTalk; but AppleTalk doesn't run on a TCP port because it isn't a TCP service (it's a different transport protocol itself). So if this is an appletalk issue, port 548 has nothing to do with it. I thought it was a rendezvous issue myself; i sometimes forget people still might use appletalk though.

      • Re:Services (Score:4, Interesting)

        by mkldev ( 219128 ) on Monday April 14, 2003 @09:17PM (#5733036) Homepage
        It would be more accurate to say that port 548 is AFP (the appletalk filing protocol) over TCP. AppleShare is an old term that refers to the sharing servers that existed prior to personal file sharing, and is basically deprecated. AFP refers to the low-level protocol itself.

        AppleTalk historically can refer to either the family of protocols or to DDP (datagram delivery protocol) that is used for non-TCP AppleTalk communication. In the context of pretty much everything but the network pane in Mac OS X, AppleTalk refers to the protocol family. In that single case, it refers to DDP binding to a particular interface, and the less-descriptive use of the word "AppleTalk" is retained for historical reasons to avoid confusion, AFAIK.

        In other words, you're both right, kind-of.

        • It's just Apple Filing Protocol, which is just the new term form AppleShare.

          Some rough equivalences:

          AppleTalk ~~ NetBIOS ~~ TCP

          AppleShare == Apple Filing Protocol ~~ SMB == CIFS

  • Buy him a router (Score:5, Informative)

    by sg3000 ( 87992 ) <sg_public AT mac DOT com> on Monday April 14, 2003 @06:27PM (#5732112)
    Rendezvous is designed to work on a subnet, and likely your dad and his neighbor are on the same subnet, thus the inintended sharing.

    Since he has a broadband connection, I'd recommend that you buy him a router, so that all of his Rendezvous packets stay in his house. No muss, no fuss. And routers can be as cheap as $30 -- I just bought a cool NetGear router to replace my LinkSys and it cost about $50. With the router, he can have multiple computers on his network, keep his LAN separate from the WAN, and have some basic security protection above and beyond the built-in firewall in Mac OS X.

    Or you can convince him to buy a new AirPort base station [apple.com] that has a built-in router so he can solve his problem as well as allow you to surf the 'Net on your PowerBook while you're over visiting.

    To me, it's a short threshold to come up with an excuse to buy sexy new Apple hardware [apple.com].
  • I suppose Rendezvous probably finds other Rendezvous enabled machines on the local subnet. Looking in System Preferences I can't see any way of limiting that by device (eg. ethernet but not modem) nor limiting it to specific IP address ranges.

    Also, the firewall configuration pane seems to be completely useless. If I'm reading correctly it seems that when I start the firewall it denies connections to any port not in the list displayed in the config pane. The list includes all the services I'm running. So if
    • ipfw rules
      sudo ipfw add 08800 deny tcp from any to any portnumber in via en0 for wired connections
      If i remember correctly...
      You will have to edit the ipfw file to get it to remember this on startup though... sudo pico /etc/ipfw.conf
    • Take a look at BrickHouse [tds.net], an interface for configuring the rules for ipfw. It provides a combination of a simple interface that still provides much more flexibility than the interface that Mac OS X gives you, plus conveniently allows you to edit the rules in the configuration file manually if you wish. Yah, you could do this using $EDITOR_OF_CHOICE, but I find this more convenient.

  • mac attack (Score:5, Funny)

    by Michael.Forman ( 169981 ) on Monday April 14, 2003 @06:38PM (#5732210) Homepage Journal

    there once was a power mac
    on the net i thought i'd hack
    i was stunned to see
    it ran bsd
    my plans were thus set back


    Michael. [michael-forman.com]

    sh: /usr/bin/fortune: not found
  • Your father isn't NAT'd by his Cable modem at all? I have DSL into an Airport Base Station and the NATing inherent to that is enough to keep my neighbors at bay. I would think there had to be some measure of this capability in the modem. If not, can he not just finagle the settings in the Sharing control panel to limit access? It shouldn't affect his Software Base Station at all.
    • DSL is different, you aren't sharing a subnet with neighbors in the same way that you are with a cable modem. You get your IP from the ISP's DHCP server, not the modem.

  • Any cable modem user would have the same problem (Score:5, Informative)

    by superposed ( 308216 ) on Monday April 14, 2003 @06:47PM (#5732287)
    Cable modems are notorious for creating security openings. In many cases, you and all the other computers in your neighborhood are bridged onto a single network. So it's the same as if you were on one big LAN.

    This issue affects your dad's computer whether or not your mom's computer is connected via it (the in-house network is just an extra wrinkle).

    So you need to do a careful job of insulating your dad's computer from the outside network. Start by turning off all unnecessary services that could be carried on the Ethernet adapter. (i.e., make sure these services are not allowed to communicate over the Ethernet adapter. It's fine to let them run over the Airport adapter if your software base station is configured correctly, but you will have to discriminate between the two). OS X does a pretty good job of not loading too many services in the default configuration. But you can fine tune what's going on using OS X's internal firewall. You should also turn off any file or printer sharing on the Ethernet adapter (using the Sharing preference panel). I'm not sure whether you can turn off Rendezvous on one particular adapter, but if you can, that would be a good idea too.

    Another way to restrict data from being sent over the Ethernet connection out to your neighbors, would be to install firewall or routing hardware between your Dad's computer and the cable modem. Then you won't really have to worry about reconfiguring your dad's computer at all. Anything that is labeled for "cable modem sharing" or "DSL connection sharing" should work fine for you. However, if you're going to get a connection sharing box, you might as well get one that can provide a connection directly to both your dad's computer and your mom's, so hers doesn't have to go through his to get to the Internet. There are plenty of cable modem routers out there that also include 802.11b support, and any of these should solve all your problems at once (i.e., they will hide your computers from your neighbors, and they will allow both of your computers to connect to the Internet independently via Airport or Ethernet). Apple's Airport base station is particularly nice, but there are other boxes in the $100 range that will work fine.

  • It's easy to fix... (Score:4, Funny)

    by dotgod ( 567913 ) on Monday April 14, 2003 @07:24PM (#5732532)
    Just apply the patch [yellowdoglinux.com]. ;-)
    • Yellowdog linux isn't that far ahead of the pact, if it all... Here's the deal... Linux can be just as multimedia rich as a OS X. Mac OS X can be just as stable as Linux. Linux can be made just as insecure as Windows. Windows can be made more secure than OpenBSD. I can run Linux apps on OpenBSD. OpenBSD has encrypted swap space. I can patch Linux to have an encrypted swap space. Freebsd uses IPFW I can make FreeBSD use PF The point is it all comes down to how much effort you want to put into it

  • Rendevous Web Servers (Score:4, Funny)

    by grouchomarxist ( 127479 ) on Monday April 14, 2003 @08:04PM (#5732717)
    Recent versions of MacOS added rendezvous support to web servers, so you can automatically detect those web servers using Safari. As a result I came across a co-worker's web site and saw some rather racy web sites that he was working on in his spare time.

    So yes. Rendezvous just might be sharing more than you'd like!
    • You found evidence that your co-worker is building a pornographic web site on company computers, on company time? A little blackmail ought to buy you a new Mac or two...

  • Common problem (Score:5, Informative)

    by DiSKiLLeR ( 17651 ) on Monday April 14, 2003 @08:19PM (#5732777) Homepage Journal
    This is a common problem, and is not specific to Mac OS X. If your father had been running windows, your neighbour would find your fathers windows shares on his Windows or Mac OS X box.

    The solution? Firewall.

    Read up on ipfw. Its the nice firewall FreeBSD uses and Darwin/OSX has it too.

    A few simple rules (default to deny etc) and you will be locked down tight.

    D.
    • I question whether or not this guy's father will want to learn the ins and outs of ipfw.

      Perhaps using the GUI firewall controls in System Preferences:Sharing:Firewall is a better way to go, at least for starters. It may be overly simple for many people, but it's perfect for those for whom scrolling through the ipfw man pages is a bit daunting.

      -/-

  • Talk about unlikely... (Score:5, Funny)

    by Big Sean O ( 317186 ) on Monday April 14, 2003 @09:33PM (#5733092)
    Two guys, neighbors, both running Jaguar, both on the same cable modem subnet.

    I mean, what are the odds? They're so low to be trivial! :-)

    (Caveat: I've been a Mac user since 1984, so this slam is just good natured ribbing...)
    • I'm a pro Mac user, and I actually thought the same thing on the first read-through. Wish I was a support guy in his neighborhood!

    • Re:Talk about unlikely... (Score:5, Insightful)

      by sg3000 ( 87992 ) <sg_public AT mac DOT com> on Tuesday April 15, 2003 @07:52AM (#5734947)
      > Two guys, neighbors, both running Jaguar, both on the
      > same cable modem subnet.

      > I mean, what are the odds?

      I was thinking the same thing. I think the odds are better that one has two convicted sex offenders on the same subnet than two Jaguar users.

      However, I think this is starting to change. At work, in my immediate area, the number of people buying new Macintoshes is starting to increase. The top cited reasons? In no particular order:

      1. The new iMac [apple.com]
      2. The fact that it "just works." It's funny to see a new Mac user who's been using Windows for years get kind of a confused look on their face, and say, "I can't explain it, but it just works."
      3. Mac OS X and its Unix underpinnings -- this seems to influence the more technical people
      4. Microsoft's copy restrictions in Windows XP. It surprises me how many people are turned off by this. Not that they're out pirating software or music or anything, but they mention that they just don't like it.

      • Re:Talk about unlikely... (Score:1, Interesting)

        by Anonymous Coward
        At work and at school, I'm surrounded by new mac users. I start to wonder if to make the stats work out, there are huge swaths of the country where no one buys macs at all.

        I'd say in the last year, 10 people I know have switched to mac, and none of the mac users have switched away from it. Almost everyone I know uses a mac as their main computer. Primarily they seem to be motivated by reason 2, with a handful of technical people motivated by reason 3. Also, everyone loves the design of the portables an

  • always use a firewall (Score:2, Informative)

    by fermion ( 181285 )
    My understanding is that everyone on a particular cable network, i.e. neighbors, shares the same network and the same pipe. It is one of the major disadvantages of cable. Since the purpose of Rendezvous is to transmit connect information to everyone on the network, this is the expected result. I think it may be a basic security flaw as significant as the Windows problems, especially if the service is turned on by default, shares the resources by default, and uses weak default passwords.

    I think we real

  • I would guess that IP over powerlines is going to have the same issue. namely unless every transformer has a packet switch then everyone in the neighborhood is going to be basically on a shared hub and hence share bandwidth and share their underwear too.

  • something to try (Score:5, Informative)

    by Aram Fingal ( 576822 ) on Monday April 14, 2003 @10:32PM (#5733290)
    One specific thing you may want to try with a firewall is blocking packets to 224.0.0.251. I've been using MacSniffer to monitor the traffic on my own home lan to see what I might need to do security-wise and noticed packets going to this address periodically. After some searching, I found that this is probably Rendezvous activity. See this article [oreillynet.com].
    • Or you can disable Rendezvous via the Applications/Utilities/Directory Access application. I suppose, if you don't need Rendezvous, you should probably turn it off. And if the problem is AppleTalk, like someone said, you can only use AppleTalk on one interface at a time. Though, I'd disable everything install a wireless router, and connect to computers via IP only.

  • ok (Score:1, Redundant)

    by papasui ( 567265 )
    I'm a network specialist for a cable company, the problem is probably that both machines ended up on the same subnet and since there's no router (i'm assuming) it goes out and hits the ubr and just like it would on a lan and shares with your neighbor.

  • Airport (Score:5, Informative)

    by red5 ( 51324 ) <gired5@gma[ ]com ['il.' in gap]> on Tuesday April 15, 2003 @01:52AM (#5734079) Homepage Journal
    People above have mentioned using a NAT/firewall. You also mentioned that your dad has a airport base station. AFAIK a Base Station is capable of being a NAT/firewall. So I'd just use that. You won't even need new hardware.
    • Actually, he said "software base station," which means that dad's Mac is acting as the access point and NAT'ing for Mom's Mac. That's why mom's mac didn't show up on the neighbor's network.

      Of course, Dad's Mac is perfectly capable of acting as the firewall in Jaguar, too, so your point about not needing new hardware is correct.
    • He mentioned his father was using a SOFTWARE Base Station; i.e., he is sharing his internet connection through use of an airport card in the computer connected to the broadband connection.
  • I had the same issues under 9.x.x until I got an ABS. We had 5 or 6 macs on our subnet. Don't get too paranoid about this - sure - secure your most vital files etc...then pool resources. It's like super fast P2P.

  • what's the problem exactly? (Score:3, Interesting)

    by davesag ( 140186 ) on Tuesday April 15, 2003 @04:15AM (#5734337) Homepage
    so your dad's mac is visible to his neighbour - big deal. assuming it's set up using the default permisions all your neighbour will be able to do is log in as a guest and drop files into his drop box. (/Users/${yrdad}/Public/Drop\ Box/) - now sure the neighbour could start filling that drop box with p0rn or whatever but if that'sa real concern then change the perms on the drop box. on the other hand yr dad could just be a good neigbour and make a shared volume of system upgrades, has equiv access to the neighbours drop box and they can both share itunes/ichat/iconquor/etc etc and get the some benefit out of having nice seamless integration with the neighbour. for what it's worth i always leave a "whoseMacIsThis.txt" file in my drop box so strays who happen to wander into my mac can quickly work out who i am and contact me if needs be.

    on the topic of open macs hwoever, if you happen to be in central london someday with some spare time, just sit down at bar italia on frith street soho, pop on yr wifi and see how many drop boxes you can visit. i found at least 5 open wifi networks and each one of those exposed lots of macs. didn't find any ichat users tho... but plenty of rendesvous (or liberty connector as i hear you merkins prefer nowadays) shared web sites (99% default index pages).

    oh and if you really wanna get into closed wifi networks remeber there is always KisMAC [versiontracker.com].

    enjoy

    • "Liberty Connector"?

      That's the funniest freakin' thing I've heard so far this week. :-)

      -/-
      Mikey-San
    • No, it's really not a big deal.

      The built-in firewall's been set up to only allow printer and file sharing, and the neighborhood in question is a quaint suburban/rural safety zone.

      On the other hand, if I found the same thing happening here in the Big City I might be a little bit more paranoid, and would likely get a Linksys to cap it off. I was curious if there was a way to 'anonymize' the machine without resorting to hardware firewalls.

  • Rendezvous or Appletalk? (Score:3, Informative)

    by alangmead ( 109702 ) on Tuesday April 15, 2003 @08:40AM (#5735239)

    You could check if the problem is Rendezvous by sending your father DockBrowser [apple.com] (perhaps by compiling it up for him first.) This should only show the machines available via Rendezvous.

    You could check if it was Appletalk by loading up chooser in Classic mode, perhaps with the Who's There [simtel.net] rdev. It should only show machines available via Appletalk

    You could disable appletalk in the ethernet interface connnected to the cable modem (Its in the Network pane in the System Preferences app.) and leave it on in the Airport interface.

  • Nothing to do with Rendez-vous (Score:3, Informative)

    by ElGanzoLoco ( 642888 ) on Tuesday April 15, 2003 @11:51AM (#5736943) Homepage
    Cable ISP's sometimes build their networks like LAN's. This aparently fools some macintoshes into thinking that it is, in fact, a LAN. I used to be able to see some macintoshes of my neighbourhood, until they fixed the problem.

  • Rendezvous traffic should not route off the link (Score:3, Informative)

    by Simon Spero ( 10945 ) on Tuesday April 15, 2003 @02:52PM (#5738515)
    Rendezvous uses Multicast DNS (mDNS) to find and announce services. Multicast DNS uses a link-local multicast address, which means that routers should never forward mDNS packets from one link to another.

    Simon
  • So, with Rendezvous on, you could potentially have a TON of iTunes libraries at your disposal, right?
  • I have seen this behavior ever since OS X Public Beta. At the time, I was on Charter Communications cable internet service, and slowly but surely I started to see other people's computers available in the 'Connect To Server?" dialogue.

    At first it was only one person's computer, but as other releases of OS X came out (1.x, etc.) there were more and more people visible on the network.

    That said, this was well before Rendezvous entered the picture, so it's probable that it is AppleTalk related.

    But, I a

  • see these entries in my /var/log/httpd/access_log

    218.19.158.252 - - [10/Apr/2003:22:32:10 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0"

  • Simply disable Appletalk on the WAN interface, Built-In Ethernet. As long as Robin Hood (think about that one) doesn't use that port for any local AppleTalking, he shouldn't have a problem.

Slashdot Top Deals

If the code and the comments disagree, then both are probably wrong. -- Norm Schryer

Close