# Odd SAMBA NetBios / IPF Filtering Issue



## roscoe (Dec 13, 2009)

Good day, this my first post on these forums (I've been reading them for several months now).  I am using IPF on a home server running 7.2.  I use it mainly as a SAMBA server (with NetBIOS enabled).  I believe I have added the necessary firewall rules for ports 137-139 & 445 to allow SAMBA to operate properly.

My problem is despite the fact that I have enabled NetBIOS UDP ports 137 & 138 in the outgoing direction, I see this in the IPF logs whenever I restart SAMBA a couple of times:


```
Dec 12 20:05:49 freebox ipmon[5119]: 20:05:48.953015 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 96 OUT broadcast
Dec 12 20:05:50 freebox ipmon[5119]: 20:05:49.954023 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 96 OUT broadcast
Dec 12 20:05:51 freebox ipmon[5119]: 20:05:50.955032 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 96 OUT broadcast
```

Oddly, If I flush the IPF rules with

```
# ipf -Fa -f /etc/ipf.rules
```

and restart SAMBA the broadcasts on port 137 are allowed through (I've confirmed with Wireshark on another PC on the network).  Stranger still is that broadcasts on port 138 ARE allowed out.

Could this be a bug in IPF or more likely a problem with my ruleset?  Any suggestion to properly allow this broadcast out to the network?

My ipf.rules file is pasted below:


```
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# (Outbound Section)
#################################################################

# Allow out access to ISP's Domain name server(s)
pass out quick on em0 proto tcp from any to <isp_primary> port = 53 flags S keep state
pass out quick on em0 proto udp from any to <isp_primary> port = 53 keep state
pass out quick on em0 proto tcp from any to <isp_secondary> port = 53 flags S keep state
pass out quick on em0 proto udp from any to <isp_secondary> port = 53 keep state

# Allow out non-secure WWW
pass out quick on em0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure WWW HTTPS
pass out quick on em0 proto tcp from any to any port = 443 flags S keep state

# Allow out SAMBA NetBIOS broadcast messages
pass out quick on em0 proto udp from any to any port = 137 keep state
pass out quick on em0 proto udp from any to any port = 138 keep state

# Allow out send & get email (DISABLED) 
#pass out quick on em0 proto tcp from any to any port = 110 flags S keep state
#pass out quick on em0 proto tcp from any to any port = 25 flags S keep state

# Allow out Network Time Protocol (NTP)
pass out quick on em0 proto udp from any to any port = 123 keep state

# Allow out FTP (active and passive modes)
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state

# Allow out FTP passive mode data channel high order port numbers
pass out quick on em0 proto tcp from any to any port > 1024 flags S keep state

# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
# This function is using SSH (secure shell)
pass out quick on em0 proto tcp from any to any port = 22 flags S keep state

# Allow out insecure Telnet (DISABLED)
#pass out quick on em0 proto tcp from any to any port = 23 flags S keep state

# Allow out FreeBSD CVSup
pass out quick on em0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on em0 proto icmp from any to any icmp-type 8 keep state

# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule implements the default block
block out log first quick on em0 all

#################################################################
# (Inbound Section)
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
#block in quick on em0 from 192.168.0.0/16 to any   #RFC 1918 private IP
block in quick on em0 from 172.16.0.0/12 to any     #RFC 1918 private IP
block in quick on em0 from 10.0.0.0/8 to any        #RFC 1918 private IP
block in quick on em0 from 127.0.0.0/8 to any       #loopback
block in quick on em0 from 0.0.0.0/8 to any         #loopback
block in quick on em0 from 169.254.0.0/16 to any    #DHCP auto-config
block in quick on em0 from 192.0.2.0/24 to any      #reserved for docs
block in quick on em0 from 204.152.64.0/23 to any   #Sun cluster interconnect
block in quick on em0 from 224.0.0.0/3 to any       #Class D & E multicast

##### Block a bunch of different nasty things. #####

# Block frags
block in quick on em0 all with frags

# Block short tcp packets
block in quick on em0 proto tcp all with short

# Block source routed packets
block in quick on em0 all with opt lsrr
block in quick on em0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on em0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on em0 all with ipopts

# Block public pings
block in quick on em0 proto icmp all icmp-type 8

# Block ident
block in quick on em0 proto tcp from any to any port = 113

##### Block Netgear Digital Entertainer HD EVA8000 network advertisements #####
block in quick on em0 proto udp from 192.168.1.78 to any port 49151 >< 49156

# ---------------------------------------------------
# ----- Trusted Wired & Wireless Hosts IP Block -----
# ---------------------------------------------------
# Allow in requests for SAMBA server
# (Wired hosts IP block)
pass in quick on em0 proto udp from <wired hosts block> to any port = 137 keep state
pass in quick on em0 proto udp from <wired hosts block> to any port = 138 keep state
pass in quick on em0 proto tcp from <wired hosts block> to any port = 139 flags S keep state
pass in quick on em0 proto tcp from <wired hosts block> to any port = 445 flags S keep state
# (Wireless hosts IP block)
pass in quick on em0 proto udp from <wireless hosts block> to any port = 137 keep state
pass in quick on em0 proto udp from <wireless hosts block> to any port = 138 keep state
pass in quick on em0 proto tcp from <wireless hosts block> to any port = 139 flags S keep state
pass in quick on em0 proto tcp from <wireless hosts block> to any port = 445 flags S keep state

# Allow in requests for Apache server web pages (Cacti)
# (Wired hosts IP block)
pass in quick on em0 proto tcp from <wired hosts block> to any port = 80 flags S keep state
# (Wireless hosts IP block)
pass in quick on em0 proto tcp from <wireless hosts block> to any port = 80 flags S keep state

# ---------------------------------------------
# ----- Trusted Wired Hosts IP Block Only -----
# ---------------------------------------------
# Allow in requests for 3ware 3DM2 web page
pass in quick on em0 proto tcp from <wired hosts block> to any port = 888 flags S keep state

# Allow in requests for SAMBA SWAT web page 
pass in quick on em0 proto tcp from <wired hosts block> to any port = 901 flags S keep state

# Allow in requests for Webmin server web page
pass in quick on em0 proto tcp from <wired hosts block> to any port = 10000 flags S keep state

# Allow in requests for TightVNC server 
pass in quick on em0 proto tcp from <wired hosts block> to any port = 5901 flags S keep state

# Allow in secure FTP, Telnet, and SCP 
# This function is using SSH (secure shell)
pass in quick on em0 proto tcp from <wired hosts block> to any port = 22 flags S keep state

# Allow in FTP active mode data channel from ftp server
pass in quick on em0 proto tcp from any to any port = 20 flags S keep state 

# Allow in Iperf network benchmark client requests
pass in quick on em0 proto tcp from <wired hosts block> to any port = 5001 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence avoids filling up disk with Denial of Service logs.
# This rule implements the default block.
block in log first quick on em0 all
################### End of rules file #####################################
```

Thanks for your time


----------



## roscoe (Dec 20, 2009)

*Same issue in 8.0-RELEASE*

Just upgraded from 7.2 to 8.0-RELEASE yesterday and have the same issue. I haven't recompiled all ports yet and am using misc/compat7x in the meantime.

After system startup every 5 minutes I can see the NetBIOS broadcast being blocked on port 137 in the firewall logs:


```
Dec 20 12:14:38 ipmon[968]: 12:14:38.083283 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 78 OUT broadcast
Dec 20 12:19:47 ipmon[968]: 12:19:47.780238 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 78 OUT broadcast
Dec 20 12:24:50 ipmon[968]: 12:24:49.485240 em0 @0:16 b 192.168.1.5,137 -> 192.168.1.255,137 PR udp len 20 78 OUT broadcast
```

However when I flush & reload the IPF rules table these messages go away.

Could this be a SAMBA bug, or an IPF bug?  Stumped.  Let me know if a packet capture would help.


----------

