From owner-freebsd-questions  Thu Sep  5 13:28:49 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA16247
          for questions-outgoing; Thu, 5 Sep 1996 13:28:49 -0700 (PDT)
Received: from recruiter.on.ca (recruiter.on.ca [198.53.146.49])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA16242
          for <freebsd-questions@freebsd.org>; Thu, 5 Sep 1996 13:28:44 -0700 (PDT)
Received: (from vam@localhost) by recruiter.on.ca (8.6.12/8.6.12) id QAA04373; Thu, 5 Sep 1996 16:27:55 -0400
Date: Thu, 5 Sep 1996 16:27:54 -0400 (EDT)
From: Vic Metcalfe <vam@recruiter.on.ca>
To: freebsd-questions@freebsd.org
Subject: Firewall to keep out NetBIOS
Message-ID: <Pine.BSF.3.91.960905161025.4302B-100000@recruiter.on.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I'm trying to set up freebsd as a firewall to keep people on the internet 
from accessing MS-Windows shared directories.

We have a FreeBSD 2.1.0 system with a full time connection to the net 
through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside.  The 
FreeBSD box acts as a gateway to our Windows systems, which all have 
valid IP addresses within our class C.

I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I 
started with something like this:

/sbin/ipfw addf deny tcp from any to $1 137
/sbin/ipfw addf deny tcp from $1 137 to any

(I've used $1 in a script so that I can try different values)

When I run this script with $1=207.34.214.0, it doesn't work.  
Connections are still allowed through the net.  Same with 
207.34.214.255.  It does work if I give a full ip, such as 207.34.214.5.  
My solution has been to run this script with every possible value for our 
class C network.  This results in just over 3000 ipfw rules!  (3 ports x 
2 for full duplex x 2 for UDP/TCP x 253 valid IP's)

Not only does the script take a heck of a long time to run, but it seems 
like a very in-efficient way to do things.  I'm amazed the network (and 
internet services) are still running at a decent speed!

I'm sure there is an easier way to do this, with only a few rules, but I 
haven't been able to find it.  The only valid documentation I could find 
was the man page, since the FreeBSD Handbook examples, as well as most of 
the stuff in the mailing list archives on freebsd.org talk about other 
versions of ipfw that don't take the same syntax.

Any help would be appreciated,
  Vic.

BTW, what other things should I look at to protect the various MS-Windows 
systems on the network?  Please don't suggest re-formatting and 
installing FreeBSD on all of them, although that would be nice. ;)