From owner-freebsd-security  Wed Jun  5 11:16:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by hub.freebsd.org (Postfix) with SMTP id 02A9037B403
	for <freebsd-security@FreeBSD.ORG>; Wed,  5 Jun 2002 11:16:19 -0700 (PDT)
Received: (qmail 16611 invoked by uid 0); 5 Jun 2002 18:16:14 -0000
Received: from p50910121.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.1.33)
  by mail.gmx.net (mp015-rz3) with SMTP; 5 Jun 2002 18:16:14 -0000
Received: (qmail 49737 invoked from network); 5 Jun 2002 18:00:00 -0000
Received: from shell.gsinet.sittig.org (192.168.11.153)
  by mail.gsinet.sittig.org with SMTP; 5 Jun 2002 18:00:00 -0000
Received: (from sittig@localhost)
	by shell.gsinet.sittig.org (8.11.3/8.11.3) id g55Hxrk49712
	for freebsd-security@FreeBSD.ORG; Wed, 5 Jun 2002 19:59:53 +0200 (CEST)
	(envelope-from sittig)
Date: Wed, 5 Jun 2002 19:59:53 +0200
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: samba and ipfw
Message-ID: <20020605195953.V1494@shell.gsinet.sittig.org>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <Pine.GSO.4.32.0206051243390.25024-100000@nippur.irb.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.GSO.4.32.0206051243390.25024-100000@nippur.irb.hr>; from mario.pranjic@irb.hr on Wed, Jun 05, 2002 at 12:50:52PM +0200
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 05, 2002 at 12:50 +0200, Mario Pranjic wrote:
> 
> I have rules for smb like this:
> # samba
> add 660 allow tcp from any to me 138,139,445 setup keep-state
> add 661 pass udp from any 139 to me 139 keep-state
                            ^^^       ^^^

This is a typo, isn't it?  netbios-ns uses 137/udp.  And it
mostly is run in broadcast mode, so I don't know how the "me"
keywords disturbes (is too strict).

As usual:  When you have problems with your filter rules add a
default rule logging packets before denying them or use your
favourite sniffer tool (like tcpdump(8) which comes with the
base system) to see what's spoken.  Isn't this a FAQ?


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message