How do I set Firewall Ports for DAVE4.1 to work?

[random]

Hi and TIA,

I'm running Panther 10.3.2 on a B+W G3 300, in a small home network environment on a dialup internet connection.
I have a couple of older macs and a Win2000 Pro connected to the G3/Panther. G3 shares printer and internet with all.

I have DAVE 4.1.1 running on the G3 to network the Win2000. The techs at DAVE told me that in order to enable the firewall on the G3/Panther and still allow all services on the Win2000, I need to enable the following ports on the G3:

137 TCP and UDP
138 TCP and UDP
139 TCP and UDP
445 TCP and UDP

I created a new entry in the Mac Sharing/ Firewall Prefs panel that looks like this:

[checkbox checked] Dave Network Sharing (137, 138, 139, 445)

I was able to get all services to work using this method EXCEPT for internet sharing. After consulting

http://ports.tantalo.net

I find all of these ports have a TCP and UDP designation.

Is there a way to designate BOTH TCP and UDP in the prefs entry? Or, is there something else, (terminal?) that would include both designations for each port?


Your help is much appreciated!!!!!

[yellow]

Nope. ipfw expects either a specific protocol (tcp, udp, icmp) or the entry of ip (or all) which means any protocol. Since ICMP doesn't allow for the use of ports, you would get an error trying to specify a port using ip or all. End result, you have to enter rules for TCP and rules for UDP separately.

[random]

Yellow,

I appreciate your input. This is a bit over my head at this point but I gotta start somewhere.

You say:

"Nope. ipfw expects either a specific protocol (tcp, udp, icmp) or the entry of ip (or all) which means any protocol."

ipfw? do you mean the prefs pane?

Since ICMP doesn't allow for the use of ports, you would get an error trying to specify a port using ip or all.

ICMP?

End result, you have to enter rules for TCP and rules for UDP separately."

So how do I do this? "enter rules for TCP and rules for UDP separately"

This would mean 2 rules (1 TCP + 1 UDP) for each port as the DAVE tech instructed?

Thanks for your patience.......

[yellow]

Quote: Originally posted by random ipfw? do you mean the prefs pane?

The Pref pane is just a GUIfied frontend of ipfw (IP Firewall) that is built into your OS. Every change you make in the Pref pane is adding/modifying/removing a rule from ipfw. Try getting your firewall configured and running, then go to the terminal and type:
sudo ipfw show
And you will see the rules that you have configured.

Quote: Originally posted by random ICMP?

"Internet Control Message Protocol", just another way for computer to talk to each other. Most ICMP traffic consists of pings. Ping doesn't have a port (well, port 0, but no others), that's why you cannot use the 'any/ip' entry to cover what you want to do.

Quote: Originally posted by random This would mean 2 rules (1 TCP + 1 UDP) for each port as the DAVE tech instructed?

Now that I've actually looked at the Pref pane again (I prefer to control ipfw via the command line), I see yet another problem with it's design. By default, the GUIfied control of the pref pane allows ALL UDP traffic to and from your machine (silly!). So this shouldn't be the problem that you are having.. UDP traffic isn't being blocked.

Remember that your original question was:

Quote: Originally posted by random "Is there a way to designate BOTH TCP and UDP in the prefs entry? Or, is there something else, (terminal?) that would include both designations for each port?"

To which the answer was, no.

[random]

Great, Yellow!!

I had been perusing Apple Knowledge base articles and gotten nothing as clear and specific as the way you explained.

In my original post I detailed what I configured via the GUI pref pane. At your suggestion here is the output of terminal fot the "sudo ipfw show":

Password:
02000 269955 14408840 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 10693 1994436 allow tcp from any to any out
02060 10235 3964243 allow tcp from any to any established
02070 0 0 allow tcp from any to any 548 in
02080 0 0 allow tcp from any to any 427 in
02090 0 0 allow tcp from any to any 137 in
02100 0 0 allow tcp from any to any 138 in
02110 0 0 allow tcp from any to any 139 in
02120 0 0 allow tcp from any to any 445 in
12190 22 1056 deny tcp from any to any
65535 1747 170859 allow ip from any to any

It appears that as in my original post/ Q I was able to get
ports 137, 138, 139, 445 open on TCP, via the GUI, but nothing open on UDP. Is this a correct assesment of terminal output? OR, should "in" be "from any to any" or something else?

Again, this is my first step into ipfw. My objective is to get
Firewall up, sharing printer and internet and files btw Panther and win2000 via ethernet. I struggled for nearly 2 weeks after installing Panther to get to this point of sharing via DAVE/ethernet all of the above. Sharing Internet is the last hurdle. Dave Tech said he was able to help no further than giving the TCP/UDP port #'s. Could he have been only partially correct?

Thanks Yellow

[random]

BTW, this is the output of Port Scan in Network Utility:

Port Scan has started ...

Port Scanning host: 192.168.0.1

Open Port: 139 netbios-ssn
Open Port: 445 microsoft-ds
Open Port: 548 afpovertcp
Port Scan has completed ...

Terminal output seems more comprehensive, and Network Utility seems to have missed 137, 138!!

[yellow]

Quote: Originally posted by random It appears that as in my original post/ Q I was able to get ports 137, 138, 139, 445 open on TCP, via the GUI, but nothing open on UDP. Is this a correct assesment of terminal output? OR, should "in" be "from any to any" or something else?

I'm not entirely sure how DAVE allows a Mac and PC to talk (protocol-wise). You'll notice in your ipfw rules there that there is nothing about UDP. What you have there is allowing all UDP in and out, otherwise there would be a line in there that would look something like:

12191 0 0 deny udp from any to any

Which you see is absent, so there's no UDP being blocked. As for the portscan, you might not see those ports appear if there's nothing (daemon/application) actively listening on them for a connection request. It may also be that those ports aren't used unless theres an actual DAVE connection.

Part of my inability to really get to the root of the problem and help you out is my ignorance of DAVE. I have a vague notion of what it was used for back in the day (to get Macs and PCs talking to each other), but this isn't really necessary anymore since Mac OS X now incorporates samba (UNIX app to listen for/talk with Windows file sharing (SMB)) for file sharing. It may be that DAVE just isn't necessary.

[random]

OK Yellow...

Your last post triggered something.... Though I don't know what all of the columns represent when you said:

"otherwise there would be a line in there that would look something like:

12191 0 0 deny udp from any to any

Which you see is absent, so there's no UDP being blocked. As for the portscan, you might not see those ports appear if there's nothing (daemon/application) actively listening on them for a connection request. It may also be that those ports aren't used unless theres an actual DAVE connection."

I realised that the first terminal output was WITHOUT the Win2000 machine ON.... Here is Terminal output WITH Win2000 on:

02000 272328 14568341 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 13575 2557178 allow tcp from any to any out
02060 12977 5011597 allow tcp from any to any established
02070 0 0 allow tcp from any to any 548 in
02080 0 0 allow tcp from any to any 427 in
02090 0 0 allow tcp from any to any 137 in
02100 0 0 allow tcp from any to any 138 in
02110 3 136 allow tcp from any to any 139 in
02120 0 0 allow tcp from any to any 445 in
12190 29 1392 deny tcp from any to any
65535 2666 260114 allow ip from any to any

I see a change in port 139....

Would this info below at the services that Dave is providing on these ports help you to take a guess as to correct permissions?(fromhttp://ports.tantalo.net/)

Thanks again
---------------------------------------------------------
port name port number protocol alias note type URL

445 tcp Direct Hosting of SMB over TCP/IP (MS Windows 2000 Services) - [ support.microsoft.com ]
445 udp Direct Hosting of SMB over TCP/IP (MS Windows 2000 Services) - [ support.microsoft.com ]
microsoft-ds 445 tcp Microsoft-DS IANA
microsoft-ds 445 udp Microsoft-DS IANA
----------------------------------------------------------

port name port number protocol alias note type URL

137 tcp WINS Registration (MS Windows NT 4.0) - [ support.microsoft.com ]
137 udp Logon Sequence (MS Windows NT 4.0) - [ support.microsoft.com ]
137 udp Pass Through Validation (MS Windows NT 4.0) - [ support.microsoft.com ]
137 udp Printing (MS Windows NT 4.0) - [ support.microsoft.com ]
137 udp Trusts (MS Windows NT 4.0) - [ support.microsoft.com ]
137 udp WinNT Secure Channel (MS Windows NT 4.0) - [ support.microsoft.com ]
netbios-ns 137 tcp NETBIOS Name Service IANA
netbios-ns 137 udp NETBIOS Name Service IANA

-----------------------------------------------------

port name port number protocol alias note type URL

138 udp Directory Replication (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp Logon Sequence (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp NetLogon (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp Pass Through Validation (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp Printing (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp Trusts (MS Windows NT 4.0) - [ support.microsoft.com ]
138 udp WinNT Secure Channel (MS Windows NT 4.0) - [ support.microsoft.com ]
netbios-dgm 138 tcp NETBIOS Datagram Service IANA
netbios-dgm 138 udp NETBIOS Datagram Service IANA

----------------------------------------------------

port name port number protocol alias note type URL

139 tcp Directory Replication (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Event Viewer (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp File Sharing (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Logon Sequence (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Pass Through Validation (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Performance Monitor (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Printing (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Registry Editor (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Server Manager (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp Trusts (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp User Manager (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp WinNT Diagnostics (MS Windows NT 4.0) - [ support.microsoft.com ]
139 tcp WinNT Secure Channel (MS Windows NT 4.0) - [ support.microsoft.com ]
netbios-ssn 139 tcp NETBIOS Session Service IANA
netbios-ssn 139 udp NETBIOS Session Service IANA

-------------------------------------------------

[yellow]

Quote: Originally posted by random I see a change in port 139....

What you see is nothing more then a packet count (amount of packets this rule saw) and a byte count (size of packets this rule saw).

[random]

Thanks for all of your effort.........

I resorted to DAVE to get eth working since I was getting nowhere with apple networking in Panther (Have you seen the # of people with same problems @ Apple Discussions?)

I got this close as a result..... Till I can get further I've learned a LOT Talking with you!!!! Thank you so much.... I'll keep trying )

[yellow]

Are you just trying to use your Mac to share it's ethernet connection for your PC?

[random]

Yes, .... Mac G3 Panther w/ dialup modem, printer....

I want to keep the Win2000 machine behind a firewall
(Mac G3 Panther) and share files and internet connection (again, G3 Panther).... with the other macs in my ethernet....

[yellow]

I see.. your PC is plugged into your Mac via ethernet cable and your Mac dials out on it's modem for internet? And you've turned on "Internet Sharing"?

[random]

Exactly..... The Mac Provides everything to all others on the eth..... Sharing is on and everything that is normally needed is set up.... only now since I upgraded from Jag to Panther Like quite a few others, my network which was previously working in Jag, no longer would reliably work. So I went to DAVE.

For a look at the problems that I was having before loading DAVE and still having a tough time check out this link:

http://discussions.info.apple.com/We...5U.4@.599ed644

Dave has since helped a lot, but in Jag I didn't need it......
Thanks Yellow

[yellow]

Ahhh.. and how did you Upgrade to Panther? By that I mean, did you "Upgrade" to Panther, or did you do an "Archive and Install" of Panther?

[random]

yellow....

I'm embarrased to say that I did an "Upgrade" not an archive and install. If it were possible to "Upgrade" back to Jag and then do it over I would do it different. Somehow I misses all of the warnings. What hell 20/20 hind sight is!! ahhh hem.

[yellow]

I too did an "Upgrade" the day Panther came out, did a little web checking and noticed that indeed, things were missing. 1 day later I did an "Archive and Install".

You can still do an "Archive and Install" preserving your Users and Network settings.. though I think the Network settings might be something you want to nuke. Nothing gets erased in an "Archive and Install", it all gets moved to a "/Previous System" directory.

!!As always, it's a good idea to back up first!!

[random]

AHHHHHH!!!!!!! So what about 3rd Party apps? Any other considerations? Has anyone documented best step by step procedure/ practice? This sounds like a rare second chance in life!!!

Did you have any other unexpected problems?