From owner-freebsd-security Wed May 8 11:46:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578012pcs.martnz01.ga.comcast.net [68.47.4.97]) by hub.freebsd.org (Postfix) with ESMTP id 0CE6A37B40C for ; Wed, 8 May 2002 11:46:13 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g48IkCi00609 for ; Wed, 8 May 2002 14:46:12 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CD97274.4B62D938@vortex.wa4phy.net> Date: Wed, 08 May 2002 14:46:12 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Stock rc.firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all, I may be trying too hard to close stuff off, but I've read so much that I'm pretty confused now, and would appreciate some pointers, or examples. Situation: In setting up the "simple" mode firewall, I find that works quite well -- too well in fact, that it also kills all connectivity to the internal windoze box via samba. Can't ping it nor can it ping the bsd machine. I added a rule, "add pass ip from 192.168.100.5 to any via any, which permits tcp to function, but again, samba is dead becuse of the port 137 blocking. The services I currently need are the ntalkd, and pop3 ports as defined by inetd.conf, port 80, and the other "normal" services ports, i.e., ntp, dns, ssh, etc. I have tried several different ideas, but every time, something breaks something else, and the things I've been reading don't really help much, including the docs on security, ipfw, and web-docs. I'd sure appreciate it if someone could lend a hand here.. and if it will help, here's the basic configuration. FreeBSD connected to cable, feeding a single windoze machine at 192.168.100.5. So its pretty simple network at this point. My linux machine is currently off-line because of a hardware problem, but is also a 192.168 address. If I use the "open" version of the rc.firewall, of course, everything works just great with natd, but that's got to change. TIA... Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message