Folks,
I claim diald is the wrong place to try and block netbeui.
The diald filters just determine what bring up/down the
link they do not control what goes out the link once it
is up. Do you really want netbeui going out and coming
into your network from the global internet?
What you really want is a firewall (ipfwadm) command to
block netbeui entirely, even when the link is up. The attached
script is the firewall script we use. There are two lines in it
that block netbeui from going out. It blocks almost everything
else from coming in.
If you have a newer kernel that uses ipchains, this script will
not work for you.
Brian Beuning
# Author: Brian Beuning <[EMAIL PROTECTED]>
#
# This firewall is for a home gateway system with just a couple
# of clients. We want to allow anything from the clients out to
# the internet but not allow unsolicited internet traffic into
# our network. The protocols we use are:
# HTTP (WWW)
# FTP (Passive mode only)
# DNS name resolution (for local caching only)
# NNTP (net news)
# NTP (net time)
# POP3 (for incoming e-mail)
# SMTP (for outgoing e-mail only)
#
# We have a local DNS server running but it is caching only.
echo Start IP Firewall
ANY=0.0.0.0/0
DNS="207.69.188.185/32 207.69.188.186/32 207.69.188.187/32"
LOCAL=127.0.0.0/8
NET=192.168.0.0/16
NTP=207.69.200.3/32
# Flush any existing rules
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Turn on Masquerading
ipfwadm -F -p deny
ipfwadm -F -a accept -m -P tcp -S $NET -D $ANY
ipfwadm -F -a accept -m -P udp -S $NET -D $ANY
# Block NetBIOS from going to the internet
ipfwadm -O -a deny -W ppp0 -P tcp -S $ANY -D $ANY 137 138 139
ipfwadm -O -a deny -W ppp0 -P udp -S $ANY -D $ANY 137 138
# Extending MASQ Timeouts
ipfwadm -M -s 7200 10 120
# The default is to deny all. Below we will open it up again for TCP
# after we have blocked unsolicited packets.
ipfwadm -I -p deny
# Unlimited traffic within the local net.
ipfwadm -I -a accept -W lo
ipfwadm -I -a accept -W eth0
# Reject local LAN addresses not originating on local LAN
# This rule suggested by Brian McCauley <[EMAIL PROTECTED]>
ipfwadm -I -a deny -S $NET -o
ipfwadm -I -a deny -S $LOCAL -o
# Rules for TCP traffic.
# Allow ftp traffic through the SYN filter below.
# All the sites we need to access support PASSIVE mode,
# so we do not need this. It is a pretty big security
# hole anyway.
# ipfwadm -I -a accept -P tcp -S $ANY 20 -D $ANY 1024:65535
# Allow Identd requests - mainly to keep messages out of the logs
ipfwadm -I -a accept -P tcp -W ppp0 -D $ANY 113
# Deny packets that originate (SYN=1,ACK=0) out in the internet.
# The -y flag only works for TCP, so make that explicit.
ipfwadm -I -a deny -P tcp -y -W ppp0 -o
# Accept all other TCP tracffic.
ipfwadm -I -a accept -P tcp
# Rules for UDP traffic
# The -S arguments on the UDP filters are dubious since someone
# sending bogus packets can set the source to whatever they want.
# Of course, they would not receive a reply, but they may not want one.
# The main reason this might help is if my ISP rejects IP traffic
# coming into the ISP with a source address of the ISP internal
# network.
# Allow DNS responses
# My ISP's name servers are 207.69.188.185, 186, and 187
# The file /etc/named.boot includes the lines
# forwarders 207.69.188.185 207.69.188.186 207.69.188.187
# options forward-only
# This keeps my named daemon from talking to any sites except my ISP
# We do not restrict destination to allow nslookup some flexibility.
for server in $DNS
do
ipfwadm -I -a accept -P udp -W ppp0 -S $server domain -D $ANY domain
done
# Allow Network Time Protocol (NTP) responces
# The file /etc/chrony.conf has the line:
# server 207.69.200.3
for server in $NTP
do
ipfwadm -I -a accept -P udp -W ppp0 -S $server ntp -D $ANY ntp
done
# Log rejected UDP packets
ipfwadm -I -a deny -P udp -o
# Limited ICMP traffic.
# The ICMP Message Types:
# 0 Echo Reply
# 3 Destination Unreachable
# 4 Source Quench
# 5 Redirect
# 8 Echo Request
# 11 Time Exceeded for a Datagram
# 12 Parameter Problem on a Datagram
# 13 Timestamp Request
# 14 Timestamp Reply
# 15 Information Request (obsolete)
# 16 Information Replay (obsolete)
# 17 Address Mask Request
# 18 Address Mask Reply
ipfwadm -I -a accept -P icmp -S $ANY 0 3 11 12 14 18
# Log rejected ICMP packets
ipfwadm -I -a deny -P icmp -o
# Turn on accounting for all hosts
./rc.acct
# Turn on dynamic address fix-up so diald works better
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# Load modules
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ppp.o
