From owner-freebsd-questions  Wed Nov 28  7:27:20 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from smtpg.casema.net (smtpg.casema.net [195.96.96.160])
	by hub.freebsd.org (Postfix) with SMTP id B183537B417
	for <freebsd-questions@freebsd.org>; Wed, 28 Nov 2001 07:27:16 -0800 (PST)
Received: (qmail 6101 invoked by uid 0); 28 Nov 2001 15:27:11 -0000
Received: from unknown (HELO scorn.diderius.nl) (212.64.78.102)
  by smtpg.casema.net with SMTP; 28 Nov 2001 15:27:11 -0000
Received: from parallax.diderius.nl (parallax.diderius.nl [172.18.4.1])
	by scorn.diderius.nl (8.11.2/8.11.2) with ESMTP id fASFQ9N04850
	for <freebsd-questions@freebsd.org>; Wed, 28 Nov 2001 16:26:09 +0100
Received: from 172.19.3.10 (silver.ftx.diderius.nl [172.19.3.10])
	by parallax.diderius.nl (8.11.3/8.11.3) with ESMTP id fASFRAf00432
	for <freebsd-questions@freebsd.org>; Wed, 28 Nov 2001 16:27:11 +0100 (CET)
	(envelope-from walter@binity.com)
Date: Wed, 28 Nov 2001 16:26:06 +0100
From: Walter Hop <walter@binity.com>
X-Mailer: The Bat! (v1.53d) Educational
X-Priority: 3 (Normal)
Message-ID: <1074327632.20011128162606@binity.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Firewalling a CIFS fileserver from the evil world.
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi all,

I've been trying to firewall some Samba fileservers off from a LAN while
retaining (only) CIFS traffic. As I have found some old hardware that can
function as a small time gateway, I'd like to put the fileservers on a
separate Ethernet.

.--------.
| samba1 |-----.
`--------'     |                 .---[ windows workstation ]
   .--------.  |   .---------.   +-- [ windows workstation ]
   | samba2 |--+---| gateway |---+-  [ windows workstation ]
   `--------'      `---------'   +-- .....
                                 |
                              .------.
                              | adsl |--/.
                              `------'

(The samba* and gateway are FreeBSD boxes)
                                 
I would like the Samba fileservers to be only reachable via the CIFS
protocol (they should be able to query other boxes too) and deny any
other traffic, and I wonder what ipfw rules I could inject into the
gateway so the samba servers have some sense of "physical" security.

Is there anybody who has a ipfw-ruleset that allows (nothing but) CIFS
traffic, or can point me in the direction of a good description of the
CIFS protocol so I can make a better attempt? I guess it has been done
before, but could not find anything useful on the web...

Thanks in advance!
w.

-- 
 Walter Hop <walter@binity.com>
 Updated contact information: http://www.binity.com/~walter/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message