From owner-freebsd-security  Thu Jun  6 12:25:51 2002
Delivered-To: freebsd-security@freebsd.org
Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61])
	by hub.freebsd.org (Postfix) with ESMTP id 0B88937B407
	for <freebsd-security@FreeBSD.org>; Thu,  6 Jun 2002 12:25:43 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020606192542.MLRP1024.sccrmhc01.attbi.com@blossom.cjclark.org>;
          Thu, 6 Jun 2002 19:25:42 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g56JPec93572;
	Thu, 6 Jun 2002 12:25:40 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Thu, 6 Jun 2002 12:25:40 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: freebsd-security@FreeBSD.org
Subject: Re: samba and ipfw
Message-ID: <20020606122540.B93321@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@FreeBSD.org>
References: <Pine.GSO.4.32.0206051243390.25024-100000@nippur.irb.hr> <20020605195953.V1494@shell.gsinet.sittig.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020605195953.V1494@shell.gsinet.sittig.org>; from Gerhard.Sittig@gmx.net on Wed, Jun 05, 2002 at 07:59:53PM +0200
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 05, 2002 at 07:59:53PM +0200, Gerhard Sittig wrote:
> On Wed, Jun 05, 2002 at 12:50 +0200, Mario Pranjic wrote:
> > 
> > I have rules for smb like this:
> > # samba
> > add 660 allow tcp from any to me 138,139,445 setup keep-state
> > add 661 pass udp from any 139 to me 139 keep-state
>                             ^^^       ^^^
> 
> This is a typo, isn't it?  netbios-ns uses 137/udp.  And it
> mostly is run in broadcast mode, so I don't know how the "me"
> keywords disturbes (is too strict).

'me' does not match broadcast addresses.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message