Good Morning Everyone,
I have a server that runs Shorewall/Samba/PPTP (Poptop). When we try to
connect to the PPTP server from outside of the company, the Windows XP pro
client can establish the connection. We can then ping the server and the
clients behind the server without any problem, but the issue becomes that we
cannot map to any of the shares on the samba server or to any client for
that matter. While the clients are not that important - it is important to
be able to map to the Samba box.
If anyone could offer some advice as to how to solve this dilemma it would
be greatly appreciated.
Sincerely,
Bruce P. Morin
Here is our Shorewall settings:
Tunnels File:
# TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver net
******************************************
Interfaces File:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect routefilter,norfc1918,tcpflags
loc eth0 detect tcpflags
vpn ppp+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
*****************************************
Zone File:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks
vpn VPN Remote Users
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
******************************************
Policy File:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc fw ACCEPT
vpn fw ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
*****************************************
Rules File:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT net fw tcp 10000
ACCEPT net fw udp 10000
ACCEPT vpn fw tcp 1723
ACCEPT vpn fw 47 -
ACCEPT fw vpn 47 -
# Accept SMB connection from the network to the Firewall
ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139,445
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139,445
ACCEPT loc fw udp 1024: 137
ACCEPT fw vpn udp 137:139
ACCEPT fw vpn tcp 137,139,445
ACCEPT fw vpn udp 1024: 137
ACCEPT vpn fw udp 137:139
ACCEPT vpn fw tcp 137,139,445
ACCEPT vpn fw udp 1024: 137
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
# Accept SSH connections from the Internet
ACCEPT net fw tcp 22
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
ACCEPT vpn loc icmp 8
ACCEPT loc vpn icmp 8
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
*******************************************
Lastly here is our smb.conf Global and IPC$ Settings:
# Global parameters
[global]
workgroup = TRCOFFICE.COM
netbios name = T1200
#interfaces = eth0
#bind interfaces only = Yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
pam password change = Yes
passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n
*Password*changed*
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139 445
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
domain master = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
winbind use default domain = Yes
map acl inherit = Yes
printing = cups
veto files = /*.eml/*.nws/*.{*}/
password server = None
username map = /etc/samba/smbusers
veto oplock files = /*.doc/*.xls/*.mdb/
[IPC$]
path = /tmp
hosts allow = 192.168.1.0/24, 127.0.0.1
hosts deny = 0.0.0.0/0
Bruce P. Morin wrote:> Good Morning Everyone, > > > I have a server that runs Shorewall/Samba/PPTP (Poptop). When we try to > connect to the PPTP server from outside of the company, the Windows XP pro > client can establish the connection. We can then ping the server and the > clients behind the server without any problem, but the issue becomes that we > cannot map to any of the shares on the samba server or to any client for > that matter. While the clients are not that important - it is important to > be able to map to the Samba box. > > If anyone could offer some advice as to how to solve this dilemma it would > be greatly appreciated. >First, put your rules and policies back the way that they should be (I assume that you have been blindly adding ACCEPT policies trying to make this work -- otherwise, you have a lot of superfluous rules). Second, get rid of these rules unless you really want to create tunnels within tunnels.> ACCEPT vpn fw tcp 1723 > ACCEPT vpn fw 47 - > ACCEPT fw vpn 47 -Third, check your pppd configuration to make sure that you have specified a local IP address of the firewall in your ''ms-wins'' specification -- ipconfig /all on one of the XP Pro boxes will tell you when you get that right. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Oops! Sorry Tom for responding directly, this should have gone to the list! Brain cramp. Tom, Thanks for the response. You are right about the ACCEPT Changes and I have taken care of that. I have done an ipconfig /all and the DNS and WINS information is right. The issue still remains. I can still go and map the share, and I get the user name and dialog box - I enter the appropriate information and it accepts it and I can see the share in Explorer. But when I go to click on it to see the contents of the share I get the following dialog box. "An Error Occurred while connecting to Z: \\T2000\public" The local device name is already in use. The connection has not been restored" It seems that I am very close, but this has stumped me. Thanks again for your help. Bruce P. Morin -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, January 07, 2005 10:42 AM To: bpmorin@safepointetech.com; Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall, PPTP and Samba Bruce P. Morin wrote:> Good Morning Everyone, > > > I have a server that runs Shorewall/Samba/PPTP (Poptop). When we try to > connect to the PPTP server from outside of the company, the Windows XP pro > client can establish the connection. We can then ping the server and the > clients behind the server without any problem, but the issue becomes thatwe> cannot map to any of the shares on the samba server or to any client for > that matter. While the clients are not that important - it is important to > be able to map to the Samba box. > > If anyone could offer some advice as to how to solve this dilemma it would > be greatly appreciated. >First, put your rules and policies back the way that they should be (I assume that you have been blindly adding ACCEPT policies trying to make this work -- otherwise, you have a lot of superfluous rules). Second, get rid of these rules unless you really want to create tunnels within tunnels.> ACCEPT vpn fw tcp 1723 > ACCEPT vpn fw 47 - > ACCEPT fw vpn 47 -Third, check your pppd configuration to make sure that you have specified a local IP address of the firewall in your ''ms-wins'' specification -- ipconfig /all on one of the XP Pro boxes will tell you when you get that right. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Bruce P. Morin wrote:> Tom, > > Thanks for the response. You are right about the ACCEPT Changes and I have > taken care of that. I have done an ipconfig /all and the DNS and WINS > information is right. The issue still remains. I can still go and map the > share, and I get the user name and dialog box - I enter the appropriate > information and it accepts it and I can see the share in Explorer. But when > I go to click on it to see the contents of the share I get the following > dialog box. > > "An Error Occurred while connecting to Z: \\T2000\public" The local device > name is already in use. The connection has not been restored" > > It seems that I am very close, but this has stumped me. > >Doesn''t sound like a Shorewall problem -- If you "shorewall clear", can you access the share? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Nope - a shorewall clear results in the same thing. Thanks, Bruce -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Friday, January 07, 2005 11:19 AM To: Shorewall Users Subject: Re: [Shorewall-users] Shorewall, PPTP and Samba Bruce P. Morin wrote:> Tom, > > Thanks for the response. You are right about the ACCEPT Changes and I have > taken care of that. I have done an ipconfig /all and the DNS and WINS > information is right. The issue still remains. I can still go and map the > share, and I get the user name and dialog box - I enter the appropriate > information and it accepts it and I can see the share in Explorer. Butwhen> I go to click on it to see the contents of the share I get the following > dialog box. > > "An Error Occurred while connecting to Z: \\T2000\public" The local device > name is already in use. The connection has not been restored" > > It seems that I am very close, but this has stumped me. > >Doesn''t sound like a Shorewall problem -- If you "shorewall clear", can you access the share? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Bruce P. Morin wrote:> Tom, > > Nope - a shorewall clear results in the same thing. > >Then you will need to look elsewhere for the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key