From owner-freebsd-questions@FreeBSD.ORG  Sat Apr 26 04:40:11 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 990B41065676
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Apr 2008 04:40:11 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 3D9508FC0C
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Apr 2008 04:40:09 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id OAA25528;
	Sat, 26 Apr 2008 14:39:51 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sat, 26 Apr 2008 14:39:50 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Reinhold <freebsd@violetlan.net>
In-Reply-To: <20080425182617.1B0A610656C3@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.1080426134337.22355A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: brindging ath0 with re0 working, kinda, almost
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2008 04:40:11 -0000

On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold <freebsd@violetlan.net> wrote:

 > # block some known-bad ports without logging
 > #
 > block return-rst  in quick on $ext_if1 proto tcp from any to any port {
 > 111, 445, 1080, 6000, 6667 }
 > block return-icmp in quick on $ext_if1 proto udp from any to any port {
 > 137, 138, 139, 1434 }
 > block return-rst  in quick on $ext_if2 proto tcp from any to any port {
 > 111, 445, 1080, 6000, 6667 }
 > block return-icmp in quick on $ext_if2 proto udp from any to any port {
 > 137, 138, 139, 1434 }

Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn) 
is done on TCP, not UDP.  My current same-intent sections for ipfw are: 

    # first take out the vast bulk of inbound TCP bogons / scan noise:
    crap="135,139,445,1433,2967,2968,4899,5900"
    crap="${crap},1080,8000,8080,3128"
    ${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
    ${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
    # first cut out most of the heavy duty UDP noise (incl broken insiders)
    junk="137,138,1433,1434"
    junk="${junk},3544"		# XP home calls home?  MS ipV6 'Toredo'
    ${fwadd} deny log $afew udp from any to any $junk via ${ext_if}

Some of the handbook firewall examples are mistaken about port 139 too.

cheers, Ian