Date: Sun, 8 Sep 1996 22:37:22 -0700 (PDT) From: "Alan B. Evans" <aevans@kaiwan009.kaiwan.com> To: vam@recruiter.on.ca (Vic Metcalfe) Cc: freebsd-questions@freebsd.org Subject: Re: Firewall to keep out NetBIOS Message-ID: <199609090537.WAA05573@kaiwan009.kaiwan.com> In-Reply-To: <Pine.BSF.3.91.960905161025.4302B-100000@recruiter.on.ca> from "Vic Metcalfe" at Sep 5, 96 04:27:54 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'm trying to set up freebsd as a firewall to keep people on the internet > from accessing MS-Windows shared directories. > > We have a FreeBSD 2.1.0 system with a full time connection to the net > through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside. The > FreeBSD box acts as a gateway to our Windows systems, which all have > valid IP addresses within our class C. > > I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I > started with something like this: > > /sbin/ipfw addf deny tcp from any to $1 137 > /sbin/ipfw addf deny tcp from $1 137 to any > > (I've used $1 in a script so that I can try different values) > > When I run this script with $1=207.34.214.0, it doesn't work. > Connections are still allowed through the net. Same with > 207.34.214.255. It does work if I give a full ip, such as 207.34.214.5. > My solution has been to run this script with every possible value for our > class C network. This results in just over 3000 ipfw rules! (3 ports x > 2 for full duplex x 2 for UDP/TCP x 253 valid IP's) > > Not only does the script take a heck of a long time to run, but it seems > like a very in-efficient way to do things. I'm amazed the network (and > internet services) are still running at a decent speed! > > I'm sure there is an easier way to do this, with only a few rules, but I > haven't been able to find it. The only valid documentation I could find > was the man page, since the FreeBSD Handbook examples, as well as most of > the stuff in the mailing list archives on freebsd.org talk about other > versions of ipfw that don't take the same syntax. > > Any help would be appreciated, > Vic. > > BTW, what other things should I look at to protect the various MS-Windows > systems on the network? Please don't suggest re-formatting and > installing FreeBSD on all of them, although that would be nice. ;) > Vic, To stop NetBIOS stuff from coming in or going out : /sbin/ipfw addf deny udp from any to $1 137 /sbin/ipfw addf deny udp from $1 137 to any /sbin/ipfw addf deny udp from any to $1 138 /sbin/ipfw addf deny udp from $1 138 to any /sbin/ipfw addf deny tcp from any to $1 139 /sbin/ipfw addf deny tcp from $1 139 to any I'm not sure on the syntax (I use 2.1.0R). As to anything else, you site policies should dictate which services to let in/filter out. --alan -- You can reach me at @ : inet : aevans@kaiwan.com ICBM : 33 39' N 117 59' W Cruise : 33 39' 37" N 117 59' 54" W WWW : http://www.kaiwan.com/~aevans/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609090537.WAA05573>