samba - Oct 2004 - samba 3.0.7 and os/2

Hello,
   samba v3.0.7 on suse linux v9.1
   os/2 v4.x
   I have started the process of replacing our os/2 hosts with linux, 
starting with the server(s). Most of the problems have been firewall 
related, a topic only briefly discussed in the docs (nudge).
   Some of the hosts can now interact with the linux samba shares; not all 
though. I have run ip traces and have gotten to a point that is a bit 
mysterious.
   When the firewall is stopped, all of the os/2 hosts can use the linux 
server. When the firewall is up, ARP information for some hosts is blocked.
   I obviously suspect a firewall problem: firewall down, it works; 
firewall up, no work. Does a firewall normally mess with arp?
   Any ideas about what may be actually happening here?

====[ working exchange (firewall down) ]===23:08:16.031596 IP
192.168.69.201.netbios-ns > 192.168.69.255.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:08:16.031870 IP sma-server2.sma.com.netbios-ns > 
192.168.69.201.netbios-ns: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; 
UNICAST
23:08:16.032579 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  39939+ PTR? 255.69.168.192.in-addr.arpa. (45)
23:08:16.032812 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  39939 NXDomain* 0/1/0 (125)
23:08:16.032963 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  39940+ PTR? 201.69.168.192.in-addr.arpa. (45)
23:08:16.033129 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  39940 NXDomain* 0/1/0 (125)
23:08:16.033318 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  39941+ PTR? 249.69.168.192.in-addr.arpa. (45)
23:08:16.033518 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  39941* 1/1/1 (131)
23:08:16.037441 arp who-has sma-server2.sma.com tell 192.168.69.201
23:08:16.037459 arp reply sma-server2.sma.com is-at 00:e0:81:2a:fb:20


====[ non-working exchange (firewall up) ]===23:07:32.804324 IP
192.168.69.201.netbios-ns > 192.168.69.255.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:07:32.805138 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  43537+ PTR? 255.69.168.192.in-addr.arpa. (45)
23:07:32.805378 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  43537 NXDomain* 0/1/0 (125)
23:07:32.805559 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  43538+ PTR? 201.69.168.192.in-addr.arpa. (45)
23:07:32.805726 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  43538 NXDomain* 0/1/0 (125)
23:07:32.805874 IP sma-server2.sma.com.dab-sti-c > 
sma-server1.sma.com.domain:  43539+ PTR? 249.69.168.192.in-addr.arpa. (45)
23:07:32.806075 IP sma-server1.sma.com.domain > 
sma-server2.sma.com.dab-sti-c:  43539* 1/1/1 (131)
23:07:33.351994 IP 192.168.69.201.netbios-ns > 192.168.69.255.netbios-ns: 
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:07:33.901577 IP 192.168.69.201.netbios-ns > 192.168.69.255.netbios-ns: 
NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

-- 
jimoe at sohnen-moe dot com

>Does a firewall normally mess with arp?
In a typical setup,  yes.  Layer 3 devices usually will not forward arps 
(or any broadcast traffic for that matter)  received on an interface out 
the others.   You would have to use proxy arping on the firewall or 
similar if you required this to happen.   The better way to go about it 
I suspect is to use a WINS service.

take care,
greg


James Moe wrote:
> Hello,
>   samba v3.0.7 on suse linux v9.1
>   os/2 v4.x
>   I have started the process of replacing our os/2 hosts with linux, 
> starting with the server(s). Most of the problems have been firewall 
> related, a topic only briefly discussed in the docs (nudge).
>   Some of the hosts can now interact with the linux samba shares; not 
> all though. I have run ip traces and have gotten to a point that is a 
> bit mysterious.
>   When the firewall is stopped, all of the os/2 hosts can use the 
> linux server. When the firewall is up, ARP information for some hosts 
> is blocked.
>   I obviously suspect a firewall problem: firewall down, it works; 
> firewall up, no work. Does a firewall normally mess with arp?
>   Any ideas about what may be actually happening here?
>
> ====[ working exchange (firewall down) ]===> 23:08:16.031596 IP
192.168.69.201.netbios-ns >
> 192.168.69.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> 23:08:16.031870 IP sma-server2.sma.com.netbios-ns > 
> 192.168.69.201.netbios-ns: NBT UDP PACKET(137): QUERY; POSITIVE; 
> RESPONSE; UNICAST
> 23:08:16.032579 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  39939+ PTR? 255.69.168.192.in-addr.arpa. 
> (45)
> 23:08:16.032812 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  39939 NXDomain* 0/1/0 (125)
> 23:08:16.032963 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  39940+ PTR? 201.69.168.192.in-addr.arpa. 
> (45)
> 23:08:16.033129 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  39940 NXDomain* 0/1/0 (125)
> 23:08:16.033318 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  39941+ PTR? 249.69.168.192.in-addr.arpa. 
> (45)
> 23:08:16.033518 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  39941* 1/1/1 (131)
> 23:08:16.037441 arp who-has sma-server2.sma.com tell 192.168.69.201
> 23:08:16.037459 arp reply sma-server2.sma.com is-at 00:e0:81:2a:fb:20
>
>
> ====[ non-working exchange (firewall up) ]===> 23:07:32.804324 IP
192.168.69.201.netbios-ns >
> 192.168.69.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> 23:07:32.805138 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  43537+ PTR? 255.69.168.192.in-addr.arpa. 
> (45)
> 23:07:32.805378 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  43537 NXDomain* 0/1/0 (125)
> 23:07:32.805559 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  43538+ PTR? 201.69.168.192.in-addr.arpa. 
> (45)
> 23:07:32.805726 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  43538 NXDomain* 0/1/0 (125)
> 23:07:32.805874 IP sma-server2.sma.com.dab-sti-c > 
> sma-server1.sma.com.domain:  43539+ PTR? 249.69.168.192.in-addr.arpa. 
> (45)
> 23:07:32.806075 IP sma-server1.sma.com.domain > 
> sma-server2.sma.com.dab-sti-c:  43539* 1/1/1 (131)
> 23:07:33.351994 IP 192.168.69.201.netbios-ns > 
> 192.168.69.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> 23:07:33.901577 IP 192.168.69.201.netbios-ns > 
> 192.168.69.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
>

greg wrote:

 >  >Does a firewall normally mess with arp?
 >
 > In a typical setup,  yes.  Layer 3 devices usually will not forward 
arps (or any broadcast traffic for that matter)  received on an interface 
out the others.   You would have to use proxy arping on the firewall or 
similar if you required this to happen.   The better way to go about it I 
suspect is to use a WINS service.
 >
   May be. What is proxy arp'ing?
   But that does not really answer my question which, upon reflection, may 
not have been clear.
   What port is the firewall blocking? In the Suse firewall config file 
there is:
FW_SERVICES_EXT_TCP="139 445 760 http https imap imaps nfs smtp ssh"
FW_SERVICES_EXT_UDP="137 138 760 788:799 nfs 111"

   Yet when I attempt to access the linux server, I find this in the 
messages log:
Oct 31 16:52:34 sma-server2 kernel: SFW2-DROP-BCASTe IN=eth1 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:03:ff:29:24:34:08:00 SRC=192.168.69.201 
DST=192.168.69.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=140 PROTO=UDP 
SPT=137 DPT=137 LEN=58

   00:03:ff:29:24:34/192.168.69.201 is the MAC/IP of the host requesting 
info. The firewall dropped the broadcast packet even though the firewall 
is configured to allow it. Am I reading the logs correctly?

-- 
jimoe at sohnen-moe dot com