From owner-freebsd-questions Sun May 26 7:17:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f175.pav2.hotmail.com [64.4.37.175]) by hub.freebsd.org (Postfix) with ESMTP id 3F65E37B406 for ; Sun, 26 May 2002 07:17:23 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 26 May 2002 07:17:23 -0700 Received: from 63.198.238.165 by pv2fd.pav2.hotmail.msn.com with HTTP; Sun, 26 May 2002 14:17:20 GMT X-Originating-IP: [63.198.238.165] From: "frank amo" To: freebsd-questions@FreeBSD.ORG Subject: FreeBSD 4.4 , ipfw rules, and problem with samba Date: Sun, 26 May 2002 07:17:20 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 May 2002 14:17:23.0059 (UTC) FILETIME=[0DBE1C30:01C204C0] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello I have some questions and some problems that have occured in reference to these questions I have configured and currently operate a semi hybrid network There are several operating systems 3 Windows systems 2 95 and 1 98 Workstations 2 Red Hat Linux 6 1 systems configured one a Samba Server and one NFS 2 SlackWare Linux 7 1 configured as NFS Servers 1 Red Hat Linux 7 1 workstation only 1 Suse 7.1 workstation only 1 FreeBSD 4.4 GateWay and Packet Filtering Router 1 Linksys 4 port cable DSL router 1 DSL modem This is what my network looks like from end to end Before I implemented ipfw and the rc config file in FreeBSD I was able to access my samba server from windows and linux workstations as well as being able to access my routers webbased configuraton home page built in its firmware without ever having a problem that I was not able to fix on it On the FreeBSD router everything works smoothly with NAT Strangley as soon as I enabled the firewall configured rules as well as other options in the firewall config file in FreeBSD my Samba server is no longer accessible by my windows or linux clients I also cannot access my linksys routers webbased configuration home page using its default ip address Starting from the linksys router I use the default lan ip address of 192 168 1 1 slash 24 connected directly to ep0 on the FreeBSD server having an ip address of 192 168 1 88 slash 24 My second interface card ep1 on the same server contains an ipaddress of 192 168 0 1 slash 24 My internal lan ip address is obviously 192 168 0 slash 24 Every computer can ping each other locally NFS works smoothly on all systems and I can browse the internet behind both the linksys and the FreeBSD routers I can no longer access my samba server which was never touched both smbd and nmbd along with portmapper are available I check the samba config file with testparm and has no errors to it I restart samba and run smbstatus with problem locally Samba broadcasts are also displayed in tcpdump from my FreeBSD gateway server None of my windows computers can access my samba server now NBTSTAT with its options can see the workgroup and even the samba server in the dos prompt but cannot find a path to it I can ping by name to make sure that NBT works properly on Samba as well as windows and get nmbd responses so both ports 137 and 139 are working When I remove the FreeBSD router and change my ip address to the subnet that defaults to my linksys router samba works again and I can access my linksys routers configuration web page To troubleshoot this I used nmap for linux and superscan for windows my linksys routers webbased configuration page displays as filtered and the samba server displays ports 139 23 79 98 111 The portscanner results have always been the same to samba when working successfully The linksys router shows only port 80 by default as open I am strongly suspecting that the firewall initilization has some how assumed some kind of network wide policy to filter samba access to the net bios session service port 139 port 137 seems to work fine because windows is able to ping samba by its name without the need for an lmhosts file specification I dont know very much about networking to the degree of understating how unicast or byte order will affect a network locally I have a very simple network with no complicated or advanced configurations But I know it well enough to know where a problem is coming from and rely on port scanners as tools to tell me what services are active on a system I know and could bet someone that my samba server is configured properly my hosts file is consistent enough to ping by name my hosts allow file is the same as it was when it works I mean the only change on the network I have to make is to shut down the bsd server then change my ip address back to the 192 168 1 subnet to use the linksys router as their gateway to get access to my routers configuration webpage and to access my samba again I strongly believe that I need to set a firewall rule to map my ports properly If only I could email someone an attachment or a copy of all of my configuration files on FreeBSD to quickly anylyse them but I know thats out of the question With the firewall enabled in the rcconf file the path to my firewall rules and the rcfirewall with its current configuraton i can access the internet using nat on the FreeBSD behind the nat on the linksys router One more thing when using nmap or superscan against both interfaces of the freeBSD router I only get the ports that are active on that system only not the ports of the computers that I am attempting to forward behind the FreeBSD router I have expirience with the Linksys router and other type of firewalls that when I run nmap I get a list of what ports are listening Nmap doesnt lie its pretty honest about things the only time it will fail on me is when a system is either turned off or when it is blocking ping requests For example if I use the forwarding option on the linksys router with the block wan request disable and specify port 80 to a host with an ip address of 192.168.1.55 then given that the host has a ready and working web server nmap will list that port for me Another example is the DMZ host feature of the linksys router there is only one entry to put one ip address for DMZ if my host that I want set to DMZ ip address is 192.168.1.20 with block wan request disabled then given that I have more than one service port open on my dmz hosting computer lets say ports 80 22 1721 25 110 2049 111 1024 53 21 20 etc and that those ports are up and running then by nmapping the router I will see all of the ports that are running and listening If one of those services goes bad or turns into a zombie then nmap will display filtered or closed I want to configure my FreeBSD Packet Filtering Router to be my real firewall as well as a VPN server I am configuring a collection of servers mainly Linux and Unix BASED systems that can be access remotely and wirelessly for research and development of Unix Based System. Using the FreeBSD as a packet filtering router I am more than impressed with its performance it seems that my internet speed increased dramatically when using this double firewall dont ask me why but the difference is more than obvious than with the linksys router alone I want to funnel all of my servers through the ipfw rules on my BSD router and output them services through the DMZ host feature of the linksys router With that configuration I know Im an ameature but I find it very efficient and in some ways a little more secure and better than using a stupid firewall program like zone alarm or black ice defender This way since the linksys router cannot handle too many services alone could only forward ports from one computer instead of more thereby relieving it of overhead and processing of queries incoming and outgoing Second the script kiddies who break passed my linksys router will are likeley to stop in one subnet and just hang there stupid while i watch them through tcpdump I hope I make a little sense and with this long statement can provide information to help you answer my question and give me tips to fix my problem I appreciate IDEAS examples based on the identification of my problems frank _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message