Date: Thu, 5 Sep 1996 16:27:54 -0400 (EDT) From: Vic Metcalfe <vam@recruiter.on.ca> To: freebsd-questions@freebsd.org Subject: Firewall to keep out NetBIOS Message-ID: <Pine.BSF.3.91.960905161025.4302B-100000@recruiter.on.ca>
next in thread | raw e-mail | index | archive | help
I'm trying to set up freebsd as a firewall to keep people on the internet from accessing MS-Windows shared directories. We have a FreeBSD 2.1.0 system with a full time connection to the net through a 28.8 modem, and a Windows NT/95/3.1 lan on the inside. The FreeBSD box acts as a gateway to our Windows systems, which all have valid IP addresses within our class C. I want to keep out TCP and UDP traffic from ports 137, 138 and 139, so I started with something like this: /sbin/ipfw addf deny tcp from any to $1 137 /sbin/ipfw addf deny tcp from $1 137 to any (I've used $1 in a script so that I can try different values) When I run this script with $1=207.34.214.0, it doesn't work. Connections are still allowed through the net. Same with 207.34.214.255. It does work if I give a full ip, such as 207.34.214.5. My solution has been to run this script with every possible value for our class C network. This results in just over 3000 ipfw rules! (3 ports x 2 for full duplex x 2 for UDP/TCP x 253 valid IP's) Not only does the script take a heck of a long time to run, but it seems like a very in-efficient way to do things. I'm amazed the network (and internet services) are still running at a decent speed! I'm sure there is an easier way to do this, with only a few rules, but I haven't been able to find it. The only valid documentation I could find was the man page, since the FreeBSD Handbook examples, as well as most of the stuff in the mailing list archives on freebsd.org talk about other versions of ipfw that don't take the same syntax. Any help would be appreciated, Vic. BTW, what other things should I look at to protect the various MS-Windows systems on the network? Please don't suggest re-formatting and installing FreeBSD on all of them, although that would be nice. ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960905161025.4302B-100000>