From owner-freebsd-questions Sun Sep 8 22:38:08 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA01900 for questions-outgoing; Sun, 8 Sep 1996 22:38:08 -0700 (PDT) Received: from kaiwan009.kaiwan.com (kaiwan009.kaiwan.com [198.178.203.9]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA01891 for ; Sun, 8 Sep 1996 22:38:05 -0700 (PDT) Received: (from aevans@localhost) by kaiwan009.kaiwan.com (8.7.3/8.7.3) id WAA05573; Sun, 8 Sep 1996 22:37:24 -0700 (PDT) *** KAIWAN Internet *** From: "Alan B. Evans" Message-Id: <199609090537.WAA05573@kaiwan009.kaiwan.com> Subject: Re: Firewall to keep out NetBIOS To: vam@recruiter.on.ca (Vic Metcalfe) Date: Sun, 8 Sep 1996 22:37:22 -0700 (PDT) Cc: freebsd-questions@freebsd.org In-Reply-To: from "Vic Metcalfe" at Sep 5, 96 04:27:54 pm X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I'm trying to set up freebsd as a firewall to keep people on the internet > from accessing MS-Windows shared directories. > > We have a FreeBSD 2.1.0 system with a full time connection to the net > through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside. The > FreeBSD box acts as a gateway to our Windows systems, which all have > valid IP addresses within our class C. > > I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I > started with something like this: > > /sbin/ipfw addf deny tcp from any to $1 137 > /sbin/ipfw addf deny tcp from $1 137 to any > > (I've used $1 in a script so that I can try different values) > > When I run this script with $1=207.34.214.0, it doesn't work. > Connections are still allowed through the net. Same with > 207.34.214.255. It does work if I give a full ip, such as 207.34.214.5. > My solution has been to run this script with every possible value for our > class C network. This results in just over 3000 ipfw rules! (3 ports x > 2 for full duplex x 2 for UDP/TCP x 253 valid IP's) > > Not only does the script take a heck of a long time to run, but it seems > like a very in-efficient way to do things. I'm amazed the network (and > internet services) are still running at a decent speed! > > I'm sure there is an easier way to do this, with only a few rules, but I > haven't been able to find it. The only valid documentation I could find > was the man page, since the FreeBSD Handbook examples, as well as most of > the stuff in the mailing list archives on freebsd.org talk about other > versions of ipfw that don't take the same syntax. > > Any help would be appreciated, > Vic. > > BTW, what other things should I look at to protect the various MS-Windows > systems on the network? Please don't suggest re-formatting and > installing FreeBSD on all of them, although that would be nice. ;) > Vic, To stop NetBIOS stuff from coming in or going out : /sbin/ipfw addf deny udp from any to $1 137 /sbin/ipfw addf deny udp from $1 137 to any /sbin/ipfw addf deny udp from any to $1 138 /sbin/ipfw addf deny udp from $1 138 to any /sbin/ipfw addf deny tcp from any to $1 139 /sbin/ipfw addf deny tcp from $1 139 to any I'm not sure on the syntax (I use 2.1.0R). As to anything else, you site policies should dictate which services to let in/filter out. --alan -- You can reach me at @ : inet : aevans@kaiwan.com ICBM : 33 39' N 117 59' W Cruise : 33 39' 37" N 117 59' 54" W WWW : http://www.kaiwan.com/~aevans/