What are correct IPFW settings for SAMBA?

J

jcs

[Mod: Split off from a ten year old thread]

codeWarrior said:
I hope this help you. Here's a copy my ipfw-rules.sh shell script.

1) Save this as /usr/local/etc/ipfw-rules.sh
2) adjust the script according to your needs
2) make it executable [CMD=]chmod +x /usr/local/etc/ipfw-rules.sh[/CMD]
3) run the rules script [CMD=]sh /usr.local/etc/ipfw-rules.sh[/CMD]
4) set your system so that it runs /usr/local/etc/ipfw-rules.sh at startup to open the firewall.

It should open the correct IP prots for Samba. If you are only interested in the Samba ports you need to allow BOTH TCP and UDP in both direction [IN/OUT] on the following ports:

  • 81
  • 137
  • 138
  • 139
  • 445


Code: 
PF="ipfw -q add"
ipfw -q -f flush

# BRUTE FORCE ATTACK BLOCKING:
$IPF deny ip from me to table\(1\)
$IPF deny ip from table\(1\) to me

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# FTP:
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out

# SSH:
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out

# MAIL:
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

# BIND / DNS:
$IPF 170 allow udp from any to any 53 in
$IPF 172 allow tcp from any to any 53 in
$IPF 174 allow udp from any to any 53 out
$IPF 176 allow tcp from any to any 53 out

# RNDC / BIND:
$IPF 180 allow udp from any to any 953 in
$IPF 182 allow tcp from any to any 953 in
$IPF 184 allow udp from any to any 953 out
$IPF 186 allow tcp from any to any 953 out

# APACHE / HTTPD:
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# NETBIOS:
$IPF 211 allow tcp from any to any 81 in
$IPF 212 allow tcp from any to any 81 out
$IPF 213 allow udp from any to any 81 in
$IPF 214 allow udp from any to any 81 out

# POP3:
$IPF 220 allow tcp from any to any 110 in
$IPF 230 allow tcp from any to any 110 out

# NMBD: [SAMBA]
$IPF 400 allow tcp from any to any 137 in
$IPF 402 allow tcp from any to any 137 out
$IPF 404 allow udp from any to any 137 in
$IPF 406 allow udp from any to any 137 out

# NMBD: [SAMBA]
$IPF 408 allow tcp from any to any 138 in    
$IPF 410 allow tcp from any to any 138 out   
$IPF 412 allow udp from any to any 138 in    
$IPF 414 allow udp from any to any 138 out 

# SMBD: [SAMBA]
$IPF 416 allow tcp from any to any 139 in    
$IPF 418 allow tcp from any to any 139 out   
$IPF 420 allow udp from any to any 139 in    
$IPF 422 allow udp from any to any 139 out 

# IMAP: [MAIL]
$IPF 145 allow tcp from any to any 143 in
$IPF 146 allow tcp from any to any 143 out
$IPF 147 allow udp from any to any 143 in
$IPF 148 allow udp from any to any 143 out

# HTTP: TLS/SSL:
$IPF 424 allow tcp from any to any 443 in
$IPF 426 allow tcp from any to any 443 out
$IPF 428 allow udp from any to any 443 in
$IPF 430 allow udp from any to any 443 out

# SMBD: [SAMBA]
$IPF 432 allow tcp from any to any 445 in
$IPF 434 allow tcp from any to any 445 out
$IPF 436 allow udp from any to any 445 in
$IPF 438 allow udp from any to any 445 out

# SMTPS: [SECURE SMTP]
$IPF 465 allow tcp from any to any 465 in    
$IPF 466 allow tcp from any to any 465 out   
$IPF 467 allow udp from any to any 465 in    
$IPF 468 allow udp from any to any 465 out 

# IMAPS: [IMAP4 - SSL]
$IPF 485 allow tcp from any to any 585 in
$IPF 486 allow tcp from any to any 585 out
$IPF 487 allow udp from any to any 585 in
$IPF 488 allow udp from any to any 585 out

# IMAPS: [IMAPS-SSL]
$IPF 9930 allow tcp from any to any 993 in
$IPF 9931 allow tcp from any to any 993 out
$IPF 9932 allow udp from any to any 993 in
$IPF 9933 allow udp from any to any 993 out

# SECURE MAIL [SSL-POP / POP3S]
$IPF 9950 allow tcp from any to any 995 in
$IPF 9951 allow tcp from any to any 995 out
$IPF 9952 allow udp from any to any 995 in
$IPF 9953 allow udp from any to any 995 out

# mySQL
$IPF 3306 allow tcp from any to any 3306 in
$IPF 3307 allow tcp from any to any 3306 out
$IPF 3308 allow udp from any to any 3306 in
$IPF 3309 allow udp from any to any 3306 out

#SUBVERSION [SVNSERVE]
$IPF 3690 allow tcp from any to any 3690 in
$IPF 3691 allow tcp from any to any 3690 out
$IPF 3692 allow udp from any to any 3690 in
$IPF 3693 allow udp from any to any 3690 out

# POSTGRESQL:
$IPF 5432 allow tcp from any to any 5432 in
$IPF 5433 allow tcp from any to any 5432 out
$IPF 5434 allow udp from any to any 5432 in
$IPF 5435 allow udp from any to any 5432 out

# TELNETD
$IPF 23000 allow tcp from any to any 23032 in
$IPF 23001 allow tcp from any to any 23032 out
$IPF 23002 allow udp from any to any 23032 in
$IPF 23003 allow udp from any to any 23032 out

# WEBMIN:
$IPF 32000 allow tcp from any to any 32000 in
$IPF 32001 allow tcp from any to any 32000 out

# WEBMIN:
$IPF 32768 allow tcp from any to any 32768 in
$IPF 32769 allow tcp from any to any 32768 out

# OPENWEBMAIL:
$IPF 40004 allow tcp from any to any 40004 in
$IPF 40005 allow tcp from any to any 40004 out
$IPF 40006 allow udp from any to any 40004 in
$IPF 40007 allow udp from any to any 40004 out

# DEJA.Technology Platform:
$IPF 300 allow tcp from any to any 59095 in
$IPF 310 allow tcp from any to any 59095 out

# deny and log everything
$IPF 65000 deny log all from any to any
Click to expand...
hello,
I was struggling with the same issue as "J" above and found your posted solution through an internet search. I followed your example and it works perfectly.
But, I have a followup question: do you/I still need to also specify the firewall type in the /etc/rc.conf ? e.g., firewall_type="WORKSTATION" client, simple,...etc.
I tried your code with and without the firewall type specified and it works both ways, so I was wondering what you do in your /etc/rc.conf ?
Thanks for your solution.
 
You must log in or register to reply here.
Back
Top