From owner-freebsd-ipfw Thu Mar 8 2:26:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from doormat.odey.co.uk (doormat.odey.co.uk [195.13.88.6]) by hub.freebsd.org (Postfix) with ESMTP id 3E89537B718 for ; Thu, 8 Mar 2001 02:26:34 -0800 (PST) (envelope-from B.Sutton@odey.co.uk) Received: (from proxy@localhost) by doormat.odey.co.uk (8.9.3/8.9.3) id KAA18828 for ; Thu, 8 Mar 2001 10:26:33 GMT Received: from (odeydom.odey.co.uk [192.168.100.4]) by doormat.odey.co.uk via smap (V2.1) id xma018730; Thu, 8 Mar 01 10:25:15 GMT To: "FreeBSD IPFW List" Subject: Re: FW: MS Shares through IPFW X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: From: "Blair Sutton/Odey" Date: Thu, 8 Mar 2001 10:25:14 +0000 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.5 |September 22, 2000) at 03/08/2001 10:25:14 AM, Serialize complete at 03/08/2001 10:25:14 AM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Assuming your MS clients are not running NetBEUI. And they are just running TCP/IP with static IP addresses, I cannot see why DHCP requests are being made. Check the network TCP/IP conf on the MS client, make sure it does not attempt to get an IP address automatically. What may help too is setting the WINS server option (helps CIFS/SMB packets cross subnets). Can you get a complete listing of your ipfw conf and possibly some sample tcpdumps? "Patrick O'Reilly" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 08/03/2001 09:47 To: "FreeBSD Network List" , "FreeBSD IPFW List" cc: Subject: FW: MS Shares through IPFW Hi all! I need to allow some M$ clients to access M$ shares on an NT server, the clients and server being on opposite sides of a FreeBSD ipfw firewall. The firewall is running fine (has been for 6 months) but I cannot get this D**N Netbios stuff going. In my desperation I have gone as far as adding these two very loose rules, which are the very first rules in the ipfw chain: -------- /sbin/ipfw -q add 00009 allow log ip from 10.5.5.0/24 to 10.3.3.240 /sbin/ipfw -q add 00009 allow log ip from 10.3.3.240 to 10.5.5.0/24 -------- The 10.5.5.0/24 Subnet includes the client we are testing, and 10.3.3.240 is the NT Server. The 10.5.5.0/24 Subnet is remote across a VPN, but there are IP tunnels in place so that the extra hops are transparent -> I don't THINK they should be causing our problems. When the Client tries to map the share on the Server there is a whole bunch of traffic logged against rule #9, including ports UDP 137 and TCP 139, going back and forth between the client and server. The client is prompted for a login/password, which we enter VERY CAREFULLY to make sure we got it right, but thereafter the connection is refused. Is this something about M$ security, or is there something else I am not seeing that the firewall might be denying? The only curious thing I have observed is the following lines in the ipfw.log interspersed among all the "Accept" logs between these computers: -------- Mar 7 11:16:08 eccles /kernel: ipfw: 65534 Deny UDP 0.0.0.0:68 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 in via rl2 Mar 7 11:16:08 eccles /kernel: ipfw: 9 Accept UDP 10.5.5.1:67 10.3.3.240:67 out via rl0 -------- I believe ports 67 and 68 are used for DHCP - we are not using DHCP anywhere, so I don't understand why this pops up, but I include it as it may be relevant ?!? Also, why is the source IP on the first line 0.0.0.0 ? Anyone with some more M$ / Netbios expertise - PLEASE HELP. Thanks, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message