Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Sep 1996 22:37:22 -0700 (PDT)
From:      "Alan B. Evans" <>
To: (Vic Metcalfe)
Subject:   Re: Firewall to keep out NetBIOS
Message-ID:  <>
In-Reply-To: <> from "Vic Metcalfe" at Sep 5, 96 04:27:54 pm

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> I'm trying to set up freebsd as a firewall to keep people on the internet 
> from accessing MS-Windows shared directories.
> We have a FreeBSD 2.1.0 system with a full time connection to the net 
> through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside.  The 
> FreeBSD box acts as a gateway to our Windows systems, which all have 
> valid IP addresses within our class C.
> I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I 
> started with something like this:
> /sbin/ipfw addf deny tcp from any to $1 137
> /sbin/ipfw addf deny tcp from $1 137 to any
> (I've used $1 in a script so that I can try different values)
> When I run this script with $1=, it doesn't work.  
> Connections are still allowed through the net.  Same with 
>  It does work if I give a full ip, such as  
> My solution has been to run this script with every possible value for our 
> class C network.  This results in just over 3000 ipfw rules!  (3 ports x 
> 2 for full duplex x 2 for UDP/TCP x 253 valid IP's)
> Not only does the script take a heck of a long time to run, but it seems 
> like a very in-efficient way to do things.  I'm amazed the network (and 
> internet services) are still running at a decent speed!
> I'm sure there is an easier way to do this, with only a few rules, but I 
> haven't been able to find it.  The only valid documentation I could find 
> was the man page, since the FreeBSD Handbook examples, as well as most of 
> the stuff in the mailing list archives on talk about other 
> versions of ipfw that don't take the same syntax.
> Any help would be appreciated,
>   Vic.
> BTW, what other things should I look at to protect the various MS-Windows 
> systems on the network?  Please don't suggest re-formatting and 
> installing FreeBSD on all of them, although that would be nice. ;)


To stop NetBIOS stuff from coming in or going out :

   /sbin/ipfw addf deny udp from any to $1 137
   /sbin/ipfw addf deny udp from $1 137 to any
   /sbin/ipfw addf deny udp from any to $1 138
   /sbin/ipfw addf deny udp from $1 138 to any
   /sbin/ipfw addf deny tcp from any to $1 139
   /sbin/ipfw addf deny tcp from $1 139 to any

I'm not sure on the syntax (I use 2.1.0R). As to anything else,
you site policies should dictate which services to let in/filter out.


You can reach me at @ :
inet	:
ICBM    : 33 39' N 117 59' W   Cruise : 33 39' 37" N 117 59' 54" W

Want to link to this message? Use this URL: <>