Hi list, I have a delicate problem with my groupserver running Solaris 8 and samaba 2.2.7a. On the same net that the server resides lets call it 192.168.0.X there is no problem with smb access from any client unix or winXP. But from an other net divided from the internal by an ip-filter based fw lets call that other net 192.168.1.X the packages seems to pass our server completlly. When I sniff on my internel net as well as the external I can see packages pass through the FW. The rules in this FW is set to quote: # allow samba fom dmz to smb-server pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port 135 keep state pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port 137 keep state pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port 138 keep state pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port 139 keep state pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port 445 keep state pass in log quick on le0 proto udp from any to 192.168.1.123/32 port 135 keep state pass in log quick on le0 proto udp from any to 192.168.1.123/32 port 137 keep state pass in log quick on le0 proto udp from any to 192.168.1.123/32 port 138 keep state pass in log quick on le0 proto udp from any to 192.168.1.123/32 port 139 keep state pass in log quick on le0 proto udp from any to 192.168.1.123/32 port 445 keep state Unquote To make the problem a little bit more delicate, the clients on the DMZ is passing through an other FW from Check point using their VPN client software securemote. The clients show up with the IP address supplyed by their respective ISP. They have no problem to access the POP3/IMAP server on the same host as the smb-server. They can also access the Web server as well. In my smb.conf I have set following: Workgroup = MYOFFICE Netbio name = GROUPSERVER security = user encrypt passwords = Yes domain master = yes socket address = 192.168.0.123 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 G?ran
Hey you on FW you pass to 192.168.1.123 but your samba is 192.168.0.123 Set you corect! Bye. ----- Original Message ----- From: "G?ran H?glund" <goran.hoglund@telemar.se> To: <samba@lists.samba.org> Sent: Wednesday, May 07, 2003 10:44 AM Subject: [Samba] Problems with firewalls and samba.> Hi list, > I have a delicate problem with my groupserver running Solaris 8 and > samaba 2.2.7a. > > On the same net that the server resides lets call it 192.168.0.X there > is no problem with smb access from any client unix or winXP. But from an > other net divided from the internal by an ip-filter based fw lets call > that other net 192.168.1.X the packages seems to pass our server > completlly. > > When I sniff on my internel net as well as the external I can see > packages pass through the FW. > The rules in this FW is set to quote: > # allow samba fom dmz to smb-server > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 135 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 137 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 138 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 139 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 445 keep state > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 135 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 137 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 138 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 139 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 445 keep state > Unquote > > To make the problem a little bit more delicate, the clients on the DMZ > is passing through an other FW from Check point using their VPN client > software securemote. The clients show up with the IP address supplyed by > their respective ISP. They have no problem to access the POP3/IMAP > server on the same host as the smb-server. They can also access the Web > server as well. > > In my smb.conf I have set following: > Workgroup = MYOFFICE > Netbio name = GROUPSERVER > security = user > encrypt passwords = Yes > domain master = yes > socket address = 192.168.0.123 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > G?ran > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Hi, Seems as I explained my situation a little bit bad... I do a NAT from 192.168.1.123 to 192.168.0.123 in my FW (sorry I missed that information). I can see some of the packages on both sides of the FW but not those that I expect. And as I mentioned the SMTP server as well as the Web and POP3 server are reached without any problem. I somehow guess this is a routing problem, but I can not see where. G?ran -----Ursprungligt meddelande----- Fr?n: samba-bounces+jkajau=ziscosteel.co.zw@lists.samba.org [mailto:samba-bounces+jkajau=ziscosteel.co.zw@lists.samba.org] F?r Marian Mlcoch, Ing Skickat: den 7 maj 2003 15:02 Till: G?ran H?glund; samba@lists.samba.org ?mne: Re: [Samba] Problems with firewalls and samba. Hey you on FW you pass to 192.168.1.123 but your samba is 192.168.0.123 Set you corect! Bye. ----- Original Message ----- From: "G?ran H?glund" <goran.hoglund@telemar.se> To: <samba@lists.samba.org> Sent: Wednesday, May 07, 2003 10:44 AM Subject: [Samba] Problems with firewalls and samba.> Hi list, > I have a delicate problem with my groupserver running Solaris 8 and > samaba 2.2.7a. > > On the same net that the server resides lets call it 192.168.0.X there> is no problem with smb access from any client unix or winXP. But from > an other net divided from the internal by an ip-filter based fw lets > call that other net 192.168.1.X the packages seems to pass our server > completlly. > > When I sniff on my internel net as well as the external I can see > packages pass through the FW. The rules in this FW is set to quote: > # allow samba fom dmz to smb-server > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 135 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 137 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 138 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 139 keep state > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > 445 keep state > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 135 keep state pass in log quick on le0 proto udp from any to > 192.168.1.123/32 port = 137 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 138 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 139 keep state > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > 445 keep state > Unquote > > To make the problem a little bit more delicate, the clients on the DMZ> is passing through an other FW from Check point using their VPN client> software securemote. The clients show up with the IP address supplyed > by their respective ISP. They have no problem to access the POP3/IMAP > server on the same host as the smb-server. They can also access the > Web server as well. > > In my smb.conf I have set following: > Workgroup = MYOFFICE > Netbio name = GROUPSERVER > security = user > encrypt passwords = Yes > domain master = yes > socket address = 192.168.0.123 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > G?ran > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Try yuo connect to samba by IP adress not netbios name at PC afther FW. net use x: \\192.168.0.123 or net view \\192.168.0.123 or cd \\192.168.0.123 (in windows commander) when works and you need connect with netbios name yuo must setup wins server and use it on all PC or try use lmhost file on remote pcs. Bye. PS>When yuo connect to SMTP what IP use? Try this ip on commands before. Why use NAT? ----- Original Message ----- From: "G?ran H?glund" <goran.hoglund@telemar.se> To: <samba@lists.samba.org> Sent: Wednesday, May 07, 2003 3:07 PM Subject: RE: [Samba] Problems with firewalls and samba.> Hi, > Seems as I explained my situation a little bit bad... > I do a NAT from 192.168.1.123 to 192.168.0.123 in my FW (sorry I missed > that information). I can see some of the packages on both sides of the > FW but not those that I expect. > > And as I mentioned the SMTP server as well as the Web and POP3 server > are reached without any problem. > > I somehow guess this is a routing problem, but I can not see where. > G?ran > > -----Ursprungligt meddelande----- > Fr?n: samba-bounces+jkajau=ziscosteel.co.zw@lists.samba.org > [mailto:samba-bounces+jkajau=ziscosteel.co.zw@lists.samba.org] F?r > Marian Mlcoch, Ing > Skickat: den 7 maj 2003 15:02 > Till: G?ran H?glund; samba@lists.samba.org > ?mne: Re: [Samba] Problems with firewalls and samba. > > > Hey you > on FW you pass to 192.168.1.123 but your samba is 192.168.0.123 Set you > corect! > > Bye. > > ----- Original Message ----- > From: "G?ran H?glund" <goran.hoglund@telemar.se> > To: <samba@lists.samba.org> > Sent: Wednesday, May 07, 2003 10:44 AM > Subject: [Samba] Problems with firewalls and samba. > > > > Hi list, > > I have a delicate problem with my groupserver running Solaris 8 and > > samaba 2.2.7a. > > > > On the same net that the server resides lets call it 192.168.0.X there > > > is no problem with smb access from any client unix or winXP. But from > > an other net divided from the internal by an ip-filter based fw lets > > call that other net 192.168.1.X the packages seems to pass our server > > completlly. > > > > When I sniff on my internel net as well as the external I can see > > packages pass through the FW. The rules in this FW is set to quote: > > # allow samba fom dmz to smb-server > > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > > 135 keep state > > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > > 137 keep state > > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > > 138 keep state > > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > > 139 keep state > > pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port > > 445 keep state > > > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > > > 135 keep state pass in log quick on le0 proto udp from any to > > 192.168.1.123/32 port = 137 keep state > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > > 138 keep state > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > > 139 keep state > > pass in log quick on le0 proto udp from any to 192.168.1.123/32 port > > 445 keep state > > Unquote > > > > To make the problem a little bit more delicate, the clients on the DMZ > > > is passing through an other FW from Check point using their VPN client > > > software securemote. The clients show up with the IP address supplyed > > by their respective ISP. They have no problem to access the POP3/IMAP > > server on the same host as the smb-server. They can also access the > > Web server as well. > > > > In my smb.conf I have set following: > > Workgroup = MYOFFICE > > Netbio name = GROUPSERVER > > security = user > > encrypt passwords = Yes > > domain master = yes > > socket address = 192.168.0.123 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > > G?ran > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba