Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Sep 1996 22:37:22 -0700 (PDT)
From:      "Alan B. Evans" <aevans@kaiwan009.kaiwan.com>
To:        vam@recruiter.on.ca (Vic Metcalfe)
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Firewall to keep out NetBIOS
Message-ID:  <199609090537.WAA05573@kaiwan009.kaiwan.com>
In-Reply-To: <Pine.BSF.3.91.960905161025.4302B-100000@recruiter.on.ca> from "Vic Metcalfe" at Sep 5, 96 04:27:54 pm

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> 
> I'm trying to set up freebsd as a firewall to keep people on the internet 
> from accessing MS-Windows shared directories.
> 
> We have a FreeBSD 2.1.0 system with a full time connection to the net 
> through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside.  The 
> FreeBSD box acts as a gateway to our Windows systems, which all have 
> valid IP addresses within our class C.
> 
> I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I 
> started with something like this:
> 
> /sbin/ipfw addf deny tcp from any to $1 137
> /sbin/ipfw addf deny tcp from $1 137 to any
> 
> (I've used $1 in a script so that I can try different values)
> 
> When I run this script with $1=207.34.214.0, it doesn't work.  
> Connections are still allowed through the net.  Same with 
> 207.34.214.255.  It does work if I give a full ip, such as 207.34.214.5.  
> My solution has been to run this script with every possible value for our 
> class C network.  This results in just over 3000 ipfw rules!  (3 ports x 
> 2 for full duplex x 2 for UDP/TCP x 253 valid IP's)
> 
> Not only does the script take a heck of a long time to run, but it seems 
> like a very in-efficient way to do things.  I'm amazed the network (and 
> internet services) are still running at a decent speed!
> 
> I'm sure there is an easier way to do this, with only a few rules, but I 
> haven't been able to find it.  The only valid documentation I could find 
> was the man page, since the FreeBSD Handbook examples, as well as most of 
> the stuff in the mailing list archives on freebsd.org talk about other 
> versions of ipfw that don't take the same syntax.
> 
> Any help would be appreciated,
>   Vic.
> 
> BTW, what other things should I look at to protect the various MS-Windows 
> systems on the network?  Please don't suggest re-formatting and 
> installing FreeBSD on all of them, although that would be nice. ;)
> 

Vic,

To stop NetBIOS stuff from coming in or going out :

   /sbin/ipfw addf deny udp from any to $1 137
   /sbin/ipfw addf deny udp from $1 137 to any
   /sbin/ipfw addf deny udp from any to $1 138
   /sbin/ipfw addf deny udp from $1 138 to any
   /sbin/ipfw addf deny tcp from any to $1 139
   /sbin/ipfw addf deny tcp from $1 139 to any

I'm not sure on the syntax (I use 2.1.0R). As to anything else,
you site policies should dictate which services to let in/filter out.

--alan


-- 
You can reach me at @ :
inet	: aevans@kaiwan.com
ICBM    : 33 39' N 117 59' W   Cruise : 33 39' 37" N 117 59' 54" W
WWW	: http://www.kaiwan.com/~aevans/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199609090537.WAA05573>