From owner-freebsd-questions@FreeBSD.ORG  Mon Jun 27 16:11:25 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 240C916A41C
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Jun 2005 16:11:25 +0000 (GMT)
	(envelope-from freebsd@meijome.net)
Received: from sigma.octantis.com.au (sigma.octantis.com.au [207.44.188.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC10443D1F
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Jun 2005 16:11:22 +0000 (GMT)
	(envelope-from freebsd@meijome.net)
Received: (qmail 23505 invoked from network); 28 Jun 2005 02:11:22 +1000
Received: from unknown (HELO ?192.168.13.3?) (202.59.110.3)
	by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP;
	28 Jun 2005 02:11:21 +1000
Message-ID: <42C02524.20805@meijome.net>
Date: Tue, 28 Jun 2005 02:11:16 +1000
From: Norberto Meijome <freebsd@meijome.net>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <BAY20-F1112781016C0CD68474B29A8EE0@phx.gbl>
	<Pine.GSO.4.58.0506271458550.17911@beatrix>
In-Reply-To: <Pine.GSO.4.58.0506271458550.17911@beatrix>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: IPFILTER Help
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2005 16:11:25 -0000

> 
> One way to resolve this would be to block all SMB/CIFS related traffic
> from reaching *out* of your FreeBSD gateway.
> 

Hi,
One thing to remember which may not be obvious at first - if you simply 
drop the packet, the client will wait till it times out, giving you that 
impression of just hanging/waiting. If instead, you reject the packet 
with the proper icmp code, the client will fail right away.

For traffic from your LAN, you may want to reject rather than drop. For 
traffic from WAN, you probably want to drop (why give yourself away).

check the excellent ipf howto for details.

http://www.obfuscation.org/ipf/ipf-howto.pdf
http://www.nwo.net/ipf/ipf-howto.html (html format of the pdf)

Cheers,
Beto