From owner-freebsd-net Thu Mar 8 2:27: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id DCCD537B71A; Thu, 8 Mar 2001 02:27:02 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 4CA9D81D18; Thu, 8 Mar 2001 04:26:52 -0600 (CST) Date: Thu, 8 Mar 2001 04:26:52 -0600 From: Bill Fumerola To: Patrick O'Reilly Cc: FreeBSD Network List , FreeBSD IPFW List Subject: Re: FW: MS Shares through IPFW Message-ID: <20010308042652.Q31752@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from patrick@mip.co.za on Thu, Mar 08, 2001 at 11:47:45AM +0200 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 08, 2001 at 11:47:45AM +0200, Patrick O'Reilly wrote: > In my desperation I have gone as far as adding these two very loose rules, > which are the very first rules in the ipfw chain: > -------- > /sbin/ipfw -q add 00009 allow log ip from 10.5.5.0/24 to 10.3.3.240 > /sbin/ipfw -q add 00009 allow log ip from 10.3.3.240 to 10.5.5.0/24 > -------- > > The 10.5.5.0/24 Subnet includes the client we are testing, and 10.3.3.240 is > the NT Server. The 10.5.5.0/24 Subnet is remote across a VPN, but there are > IP tunnels in place so that the extra hops are transparent -> I don't THINK > they should be causing our problems. "Transparent" hops wouldn't be the problem. IP packets coming across the wire don't know the difference, neither does ipfw. > When the Client tries to map the share on the Server there is a whole bunch > of traffic logged against rule #9, including ports UDP 137 and TCP 139, > going back and forth between the client and server. The client is prompted > for a login/password, which we enter VERY CAREFULLY to make sure we got it > right, but thereafter the connection is refused. If the client is prompted for a login/password it would seem that a connection has been established (and the firewall doesn't seem to be the problem). If you REALLY want to know what makes this windows crap tick, put the two clients on the same subnet (on a hub, that makes this easy) and make your connection and have a sniffer like tcpdump or (if you're running X) ethereal. You'll get the entire picture and know exactly what rules to write instead of bogusly allowing * (if protecting those subnets is a goal). > -------- > Mar 7 11:16:08 eccles /kernel: ipfw: 65534 Deny UDP 0.0.0.0:68 > 10.3.3.240:67 in via rl2 > > I believe ports 67 and 68 are used for DHCP - we are not using DHCP > anywhere, so I don't understand why this pops up, but I include it as it may > be relevant ?!? Also, why is the source IP on the first line 0.0.0.0 ? What is the IP of a machine that has no IP (hint: and is looking for one..)? -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message