Sorry if this newbie-question just steels your time, but I could not find anything working in the internet... I tried to set up a firewall for masq the internal net for the internet and protect the computer (version 1.2, debian woody). I need to have samba (local/domain master, wins support) on this computer. This, as far as I know worked without the firewall. Now with the firewall enabled, windows pc''s don''t know toe hostname anymore and are not able to see the computer or mount any shares. If I try tis on my own linux-box using smbmount //gateway/SHARE /mnt it works, but with "linneighborhood" I also don''t see the computer. I know I could upgrade to 1.4, but if there is a setting with to old version I''d prefer having this one. This is what nmblookup gives me (gateway is the hostname of the computer): querying gateway on 192.168.0.255 Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted name_query failed to find name gateway In policy, I tried to accept all packages from local to the machine and back: $FW net ACCEPT loc $FW ACCEPT -- OpenPGP public key available: http://home.arcor.de/jan.kohnert/gnupg_publickey.asc Key-Fingerprint: BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031111/582ccfd2/attachment.bin
Jan Kohnert wrote:> Sorry if this newbie-question just steels your time, but I could not find > anything working in the internet... > > I tried to set up a firewall for masq the internal net for the internet and > protect the computer (version 1.2, debian woody).> I need to have samba (local/domain master, wins support) on this computer. > This, as far as I know worked without the firewall. > Now with the firewall enabled, windows pc''s don''t know toe hostname anymore > and are not able to see the computer or mount any shares. > If I try tis on my own linux-box using > smbmount //gateway/SHARE /mnt > it works, but with "linneighborhood" I also don''t see the computer. > I know I could upgrade to 1.4, but if there is a setting with to old version > I''d prefer having this one.Yes, i can recommend upgrading to a newer version! There is one in testing... Are you sure the clients are actually using the WINS server? In Samba it''s the ''wins server'' option. On Windows, you can put it in manually, or distribute it along with DHCP.> This is what nmblookup gives me (gateway is the hostname of the computer): > querying gateway on 192.168.0.255 > Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted > name_query failed to find name gatewayI''m asking because this still looks like a broadcast... HTH, -- - Pieter
On Tue, 11 Nov 2003, Jan Kohnert wrote:> Sorry if this newbie-question just steels your time, but I could not find > anything working in the internet... > > I tried to set up a firewall for masq the internal net for the internet and > protect the computer (version 1.2, debian woody). > I need to have samba (local/domain master, wins support) on this computer. > This, as far as I know worked without the firewall. > Now with the firewall enabled, windows pc''s don''t know toe hostname anymore > and are not able to see the computer or mount any shares. > If I try tis on my own linux-box using > smbmount //gateway/SHARE /mnt > it works, but with "linneighborhood" I also don''t see the computer. > I know I could upgrade to 1.4, but if there is a setting with to old version > I''d prefer having this one. > > This is what nmblookup gives me (gateway is the hostname of the computer): > querying gateway on 192.168.0.255 > Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted > name_query failed to find name gateway > > In policy, I tried to accept all packages from local to the machine and back: > $FW net ACCEPT > loc $FW ACCEPT >There must be a typo since those don''t make any sense. Have you looked at all at http://shorewall.net/samba.htm? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Mittwoch, 12. November 2003 14:11 schrieb Tom Eastep:> On Tue, 11 Nov 2003, Jan Kohnert wrote: > > Sorry if this newbie-question just steels your time, but I could not find > > anything working in the internet... > > > > In policy, I tried to accept all packages from local to the machine and > > back: $FW net ACCEPT > > loc $FW ACCEPT > > There must be a typo since those don''t make any sense. > > Have you looked at all at http://shorewall.net/samba.htm? > > -TomThanks a lot for the advices; I followed your advices but somehow it still does not work. I send you the output of shorewall restarting and nmblookup, maybe there is still some misconfiguration it it... gateway:~# shorewall restart Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc dmz Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: ppp0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Warning: Zone dmz is empty Deleting user chains... Configuring Proxy ARP and NAT Adding Common Rules IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT loc fw tcp ssh" added. Rule "ACCEPT fw loc tcp ssh" added. Rule "ACCEPT net fw tcp 4662" added. Rule "ACCEPT net fw udp 12112" added. Rule "ACCEPT fw loc udp 137:139" added. Rule "ACCEPT fw loc tcp 137,139,445" added. Rule "ACCEPT fw loc udp 1024: 137" added. Rule "ACCEPT loc fw udp 137:139" added. Rule "ACCEPT loc fw tcp 137,139,445" added. Rule "ACCEPT loc fw udp 1024: 137" added. Adding rules for DHCP Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net. Policy REJECT for fw to loc. Policy DROP for net to fw. Policy REJECT for loc to fw. Policy ACCEPT for loc to net. Masqueraded Subnets and Hosts: To 0.0.0.0/0 from eth1 through ppp0 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Shorewall Restarted gateway:~# nmblookup gateway querying gateway on 192.168.0.255 Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted name_query failed to find name gateway gateway:~# Best regards Jan Kohnert -- OpenPGP public key available: http://home.arcor.de/jan.kohnert/gnupg_publickey.asc Key-Fingerprint: BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031112/16cae2ba/attachment-0001.bin
>> gateway:~# nmblookup gateway > querying gateway on 192.168.0.255 > Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted > name_query failed to find name gateway > gateway:~# >Is 192.168.0.255 the broadcast address for eth1? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
> Am Mittwoch, 12. November 2003 14:11 schrieb Tom Eastep: >> > gateway:~# shorewall restart > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Restarting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc dmz > Validating interfaces file... > Validating hosts file... > Determining Hosts in Zones... > Net Zone: ppp0:0.0.0.0/0 > Local Zone: eth1:0.0.0.0/0 > Warning: Zone dmz is empty >It also looks like you didn''t install Shorewall using the appropriate QuickStart Guide (http://www.shorewall.net/shorewall_quickstart_guide.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net