Now with firewalld, opening up ports is now 'better' done by opening services. So what do I need, for starters it seems: dns, dhcp, dhcpv6, samba, kerberos Here is the list of services: RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https I will only be running one AD, but a number of file servers (which in Samba4 are really DCs without some services?) . thanks
On 27/08/15 05:20, Robert Moskowitz wrote:> Now with firewalld, opening up ports is now 'better' done by opening > services. So what do I need, for starters it seems: > > dns, dhcp, dhcpv6, samba, kerberos > > Here is the list of services: > > RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 > dhcpv6-client dns > ftp high-availability http https imaps ipp ipp-client ipsec kerberos > kpasswd ldap > ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn > pmcd pmproxy > pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba > samba-client > smtp ssh telnet tftp tftp-client transmission-client vnc-server > wbem-httpsI would have thought the easiest way to get a list of ports you need is to start everything, and then use netstat to list the listening ones> > I will only be running one AD, but a number of file servers (which in > Samba4 are really DCs without some services?) . >Nope, a fileserver is not a DC without some services, a fileserver, print server, member server or a Unix client are all basically the same thing and you should follow the instructions on the member server wiki page: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland> thanks > > >
On 08/27/2015 03:29 AM, Rowland Penny wrote:> On 27/08/15 05:20, Robert Moskowitz wrote: >> Now with firewalld, opening up ports is now 'better' done by opening >> services. So what do I need, for starters it seems: >> >> dns, dhcp, dhcpv6, samba, kerberos >> >> Here is the list of services: >> >> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >> dhcpv6-client dns >> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >> kpasswd ldap >> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn >> pmcd pmproxy >> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >> samba-client >> smtp ssh telnet tftp tftp-client transmission-client vnc-server >> wbem-https > > I would have thought the easiest way to get a list of ports you need > is to start everything, and then use netstat to list the listening onesFirewalld supports port level control, and there was a nice post that I found here with a search that had the iptables for those ports and nicely annotated. But Firewalld introduces this 'service' concept, and I would like to use it where possible. I will have to ask this of the Firewalld developers, most likely if no one here has not already dealt with this.> > >> >> I will only be running one AD, but a number of file servers (which in >> Samba4 are really DCs without some services?) . >> > > Nope, a fileserver is not a DC without some services, a fileserver, > print server, member server or a Unix client are all basically the > same thing and you should follow the instructions on the member server > wiki page: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_ServerI had not gotten that far along in my reading. :) thanks for the information.
The services and their port numbers and protocols are defined in /etc/services. You should be able to use that file to map from port numbers to services if you want to use the service names instead. This is not something new with firewalld, iptables has had this option forever as well. On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:> Now with firewalld, opening up ports is now 'better' done by opening > services. So what do I need, for starters it seems: > > dns, dhcp, dhcpv6, samba, kerberos > > Here is the list of services: > > RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 > dhcpv6-client dns > ftp high-availability http https imaps ipp ipp-client ipsec kerberos > kpasswd ldap > ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd > pmproxy > pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba > samba-client > smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https > > I will only be running one AD, but a number of file servers (which in > Samba4 are really DCs without some services?) . > > thanks > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 08/27/2015 08:01 AM, Ryan Bair wrote:> The services and their port numbers and protocols are defined in > /etc/services. You should be able to use that file to map from port > numbers to services if you want to use the service names instead. This > is not something new with firewalld, iptables has had this option > forever as well.If that is all they are doing.... But I don't think so. I mean what ports does service 'samba' and 'samba-client' map to? Even 'smb' is not a listed service in /etc/services. Nor is port 135. And what about Kerberos Password (464). Since for some of us, firewalld is part of the osscape, it is worthwhile to work all this out and document it and hopefully to add it to the wiki so next year when someone new comes along, we can use say, "read the wiki on it". In fact for those running iptables, it would be good to capture the iptables entries instead of having to do a search of this mailing list. Now on to reading more on firewalld 'services'!> > On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz > <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote: > > Now with firewalld, opening up ports is now 'better' done by > opening services. So what do I need, for starters it seems: > > dns, dhcp, dhcpv6, samba, kerberos > > Here is the list of services: > > RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 > dhcpv6-client dns > ftp high-availability http https imaps ipp ipp-client ipsec > kerberos kpasswd ldap > ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn > pmcd pmproxy > pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind > samba samba-client > smtp ssh telnet tftp tftp-client transmission-client vnc-server > wbem-https > > I will only be running one AD, but a number of file servers (which > in Samba4 are really DCs without some services?) . > > thanks > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
After reading this thread.. and ..seeing the comments.. I googled a bit around. and yes.. more then 5 sec.. ;-) I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables service now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw, which is much more flexable in my opinion. I just dont care about how it starts.. as long as it works.. so i found this one.. http://www.certdepot.net/rhel7-get-started-firewalld/ looks very nice, it explains all. base on that, howto create a "samba4-ad" service with multiple ports in it. or better, split it up in to.. samba4-kerberos samba4-smbd samba4-nmbd etc.. The only thing i cant see there in the "HAProxy example" is you can add multiple "port / protools" in there. thats up to you. but i think you wil manage that. .. side note.. Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you.. ;-) Rowland is just not a "fan" of systemd.. ROFL... Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >Verzonden: donderdag 27 augustus 2015 14:01 >Aan: Robert Moskowitz >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] Samba AD firewalld services > >The services and their port numbers and protocols are defined in >/etc/services. You should be able to use that file to map from >port numbers >to services if you want to use the service names instead. This is not >something new with firewalld, iptables has had this option >forever as well. > >On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz ><rgm at htt-consult.com> >wrote: > >> Now with firewalld, opening up ports is now 'better' done by opening >> services. So what do I need, for starters it seems: >> >> dns, dhcp, dhcpv6, samba, kerberos >> >> Here is the list of services: >> >> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >> dhcpv6-client dns >> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >> kpasswd ldap >> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >openvpn pmcd >> pmproxy >> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >> samba-client >> smtp ssh telnet tftp tftp-client transmission-client >vnc-server wbem-https >> >> I will only be running one AD, but a number of file servers (which in >> Samba4 are really DCs without some services?) . >> >> thanks >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:> After reading this thread.. and ..seeing the comments.. > > I googled a bit around. and yes.. more then 5 sec.. ;-) > > I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables service > now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw, > which is much more flexable in my opinion. > I just dont care about how it starts.. as long as it works.. > > so i found this one.. > http://www.certdepot.net/rhel7-get-started-firewalld/ > looks very nice, it explains all.Your search foo is greater than mine. But I have a long track record of a very low foo rating on my searches. Yes. All pointed out there. I see what I need in /usr/lib/firewalld/services> base on that, howto create a "samba4-ad" service with multiple ports in it. > or better, split it up in to.. > samba4-kerberos > samba4-smbd > samba4-nmbd > etc.. > > The only thing i cant see there in the "HAProxy example" is you can > add multiple "port / protools" in there. > thats up to you. > > but i think you wil manage that. > > .. side note.. > Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you.. > ;-) Rowland is just not a "fan" of systemd.. ROFL...Yet needed to be covered in the Wiki. Just like DNS is. Once upon a time I did a lot of my own firewalling. Worked a lot with Shorewall on a Centos 3? server. Going to have to dust off some old skills here.> Greetz, > > Louisthanks
yes, i have a good google track record.. ;-) on that site, read good.. ... With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory.>> But it is still possible to add new ones in the /etc/firewalld/services directory. >> Also, if files exist at both locations for the same service, the file in the >> /etc/firewalld/services directory takes precedence.So do DONT touch the content /usr/lib/firewalld/services copy it ( or some) and add it in /etc/firewalld/services make your changes there.. If you touch content in /usr/lib/firewalld/services you may loose it with an update. greetz, Louis>-----Oorspronkelijk bericht----- >Van: Robert Moskowitz [mailto:rgm at htt-consult.com] >Verzonden: donderdag 27 augustus 2015 15:06 >Aan: L.P.H. van Belle; samba at lists.samba.org >Onderwerp: Re: [Samba] Samba AD firewalld services > > > >On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >> After reading this thread.. and ..seeing the comments.. >> >> I googled a bit around. and yes.. more then 5 sec.. ;-) >> >> I wonder why almost every "centos/redhat/rpm based" howto >removes firewalld with the base iptables service >> now, i'm not "pro" systemd or con systemd, i use it but i >set my firewall with ufw, >> which is much more flexable in my opinion. >> I just dont care about how it starts.. as long as it works.. >> >> so i found this one.. >> http://www.certdepot.net/rhel7-get-started-firewalld/ >> looks very nice, it explains all. > >Your search foo is greater than mine. But I have a long track >record of >a very low foo rating on my searches. > >Yes. All pointed out there. I see what I need in >/usr/lib/firewalld/services > >> base on that, howto create a "samba4-ad" service with >multiple ports in it. >> or better, split it up in to.. >> samba4-kerberos >> samba4-smbd >> samba4-nmbd >> etc.. >> >> The only thing i cant see there in the "HAProxy example" is you can >> add multiple "port / protools" in there. >> thats up to you. >> >> but i think you wil manage that. >> >> .. side note.. >> Firewalling is not really a samba topic.. but we are all >(yes Rowland to) happy to help you.. >> ;-) Rowland is just not a "fan" of systemd.. ROFL... > >Yet needed to be covered in the Wiki. Just like DNS is. > >Once upon a time I did a lot of my own firewalling. Worked a lot with >Shorewall on a Centos 3? server. Going to have to dust off some old >skills here. > >> Greetz, >> >> Louis > >thanks > > >
Progress... On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:> After reading this thread.. and ..seeing the comments.. > > I googled a bit around. and yes.. more then 5 sec.. ;-) > > I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables service > now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw, > which is much more flexable in my opinion. > I just dont care about how it starts.. as long as it works.. > > so i found this one.. > http://www.certdepot.net/rhel7-get-started-firewalld/ > looks very nice, it explains all. > base on that, howto create a "samba4-ad" service with multiple ports in it. > or better, split it up in to.. > samba4-kerberos > samba4-smbd > samba4-nmbd > etc..I have looked at the actual /usr/lib/firewalld/services xml files and find that I should use: samba kerberos kpasswd dns ldap ldaps And need to create services for tcp ports 135 (rpc) and 3268 (MS Global Catalog), or just do those as ports. Still to be worked out are: what about ldap and ldaps over udp? And do I need a rule for port 1024? thanks> > The only thing i cant see there in the "HAProxy example" is you can > add multiple "port / protools" in there. > thats up to you. > > but i think you wil manage that. > > .. side note.. > Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you.. > ;-) Rowland is just not a "fan" of systemd.. ROFL... > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >> Verzonden: donderdag 27 augustus 2015 14:01 >> Aan: Robert Moskowitz >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba AD firewalld services >> >> The services and their port numbers and protocols are defined in >> /etc/services. You should be able to use that file to map from >> port numbers >> to services if you want to use the service names instead. This is not >> something new with firewalld, iptables has had this option >> forever as well. >> >> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >> <rgm at htt-consult.com> >> wrote: >> >>> Now with firewalld, opening up ports is now 'better' done by opening >>> services. So what do I need, for starters it seems: >>> >>> dns, dhcp, dhcpv6, samba, kerberos >>> >>> Here is the list of services: >>> >>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>> dhcpv6-client dns >>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>> kpasswd ldap >>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >> openvpn pmcd >>> pmproxy >>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>> samba-client >>> smtp ssh telnet tftp tftp-client transmission-client >> vnc-server wbem-https >>> I will only be running one AD, but a number of file servers (which in >>> Samba4 are really DCs without some services?) . >>> >>> thanks >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
On 27/08/15 13:50, L.P.H. van Belle wrote:> After reading this thread.. and ..seeing the comments.. > > I googled a bit around. and yes.. more then 5 sec.. ;-) > > I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables serviceNow here's a funny thing, I was searching the samba wiki for 'firewall' and found there is a page on setting up samba4 on centos 7, about half way down that page is this: This post setup will configure the services to startup and disable Selinux and Firewall, during my tests firewalld did not save the allowed ports, even with permanent flag, so I´v decided to disable to avoid problems. So even on the samba wiki, you are advised to turn off firewalld :-D Rowland> now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw, > which is much more flexable in my opinion. > I just dont care about how it starts.. as long as it works.. > > so i found this one.. > http://www.certdepot.net/rhel7-get-started-firewalld/ > looks very nice, it explains all. > base on that, howto create a "samba4-ad" service with multiple ports in it. > or better, split it up in to.. > samba4-kerberos > samba4-smbd > samba4-nmbd > etc.. > > The only thing i cant see there in the "HAProxy example" is you can > add multiple "port / protools" in there. > thats up to you. > > but i think you wil manage that. > > .. side note.. > Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you.. > ;-) Rowland is just not a "fan" of systemd.. ROFL... > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >> Verzonden: donderdag 27 augustus 2015 14:01 >> Aan: Robert Moskowitz >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba AD firewalld services >> >> The services and their port numbers and protocols are defined in >> /etc/services. You should be able to use that file to map from >> port numbers >> to services if you want to use the service names instead. This is not >> something new with firewalld, iptables has had this option >> forever as well. >> >> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >> <rgm at htt-consult.com> >> wrote: >> >>> Now with firewalld, opening up ports is now 'better' done by opening >>> services. So what do I need, for starters it seems: >>> >>> dns, dhcp, dhcpv6, samba, kerberos >>> >>> Here is the list of services: >>> >>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>> dhcpv6-client dns >>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>> kpasswd ldap >>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >> openvpn pmcd >>> pmproxy >>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>> samba-client >>> smtp ssh telnet tftp tftp-client transmission-client >> vnc-server wbem-https >>> I will only be running one AD, but a number of file servers (which in >>> Samba4 are really DCs without some services?) . >>> >>> thanks >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >