Shorewall users - Nov 2002 - [Fwd: Re: [expert] Shorewall Follies - It''s drivin'' me NUTS!!]

Ha! Fooled you! This is an answer rather than a question! :-)

Well I''ve got the shorewall rules for samba figured out.  Please
correct
my work if I''ve made any mistakes.  Port 445 is the port that XP/2K use
for this purpose and the website did not take XP/2K into account.  Port
631 is a network printer which may be important when I get around to
putting up the print server. For added security (I hope) I''ve added
entries for smbd and nmbd in hosts.deny and hosts.allow.  I''m not sure
what effect this will have but hey, like I''m tryin, see. ;-)

Here''s a question:  Do I need to have tcpd running to get wrappers to
work?  I thought I heard somewhere that wrappers were handled in the
kernel these days.

 > [root@enigma root]# cat /etc/shorewall/rules.samba.sav
 > ACCEPT  fw      masq    tcp     631,137,139,445 -
 > ACCEPT  fw      masq    udp     631,137,138,139 -
 > ACCEPT  masq    fw      tcp     631,137,139,445 -
 > ACCEPT  masq    fw      udp     631,137,138,139 -
 > ACCEPT  loc     masq    tcp     631,137,139,445 -
 > ACCEPT  loc     masq    udp     631,137,138,139 -
 > ACCEPT  masq    loc     tcp     631,137,139,445 -
 > ACCEPT  masq    loc     udp     631,137,138,139 -
 > REJECT  net     masq    tcp     631,137,139,445 -
 > REJECT  net     masq    udp     631,137,138,139 -
 > REJECT  net     fw      tcp     137,139,445     -
 > REJECT  net     fw      udp     137,138,139     -
 > REJECT  net     loc     tcp     631,137,139,445 -
 > REJECT  net     loc     udp     631,137,138,139 -
 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

--k08ZCap=.Nkgmc):
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 29 Nov 2002 22:35:30 -0800 Jim C <jcllings@tsunamicomm.net>
wrote....
> Ha! Fooled you! This is an answer rather than a question! :-)
> 
> Well I''ve got the shorewall rules for samba figured out.  Please
correct
> my work if I''ve made any mistakes.  Port 445 is the port that
XP/2K use
> for this purpose and the website did not take XP/2K into account.  Port
> 631 is a network printer which may be important when I get around to
> putting up the print server. For added security (I hope) I''ve
added
> entries for smbd and nmbd in hosts.deny and hosts.allow.  I''m not
sure
> what effect this will have but hey, like I''m tryin, see. ;-)
	What was the problem you solved by opening port 445? I''m having a
mapping
problem from XP -> 2K server..

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net

This e-mail message is 100% Microsoft free!

WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST.

   /"\
   \ /     ASCII Ribbon Campaign
    X      Against HTML Mail
   / \

--k08ZCap=.Nkgmc):
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96F8rrgrN227HZ+8RAizfAJ9oQtFTOJwaDwA77kHT0zONti59QgCeJ9az
52WrdWDzSfTXMvsejIHslks=caj8
-----END PGP SIGNATURE-----

--k08ZCap=.Nkgmc):--

The problem was that I could get the firewall to work and I could get 
Internet Connection Shareing to work also but I couldn''t get them to 
like Samba at all.  According to the docs port 445 is used by XP/2K to 
access Server Message Block stuff.  The results I''ve gotten would seem 
to bear this out.

Mapping, huh?  Make sure you got smbd configured for the right kind of 
shareing.  SWAT says this is important.  Other than that I''m not really
up on mapping. ;-)


Homer Parker wrote:
> On Fri, 29 Nov 2002 22:35:30 -0800 Jim C <jcllings@tsunamicomm.net>
>>Ha! Fooled you! This is an answer rather than a question! :-)
...
>>what effect this will have but hey, like I''m tryin, see. ;-)
> 	What was the problem you solved by opening port 445? I''m having a
mapping
> problem from XP -> 2K server..

--B.FumB:TTvQo=..H
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 30 Nov 2002 01:01:26 -0800 Jim C <jcllings@tsunamicomm.net>
wrote....
> The problem was that I could get the firewall to work and I could get 
> Internet Connection Shareing to work also but I couldn''t get them
to
> like Samba at all.  According to the docs port 445 is used by XP/2K to 
> access Server Message Block stuff.  The results I''ve gotten would
seem
> to bear this out.
> 
> Mapping, huh?  Make sure you got smbd configured for the right kind of 
> shareing.  SWAT says this is important.  Other than that I''m not
really
> up on mapping. ;-)
	I wish it was Samba on the other end... Client is XP Home, server is
2000... I will open 445 accross there, and see if that helps... Can''t
hurt
;) Thanks for the pointer, will let you know if it helps the problem..

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net

This e-mail message is 100% Microsoft free!

WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST.

   /"\
   \ /     ASCII Ribbon Campaign
    X      Against HTML Mail
   / \

--B.FumB:TTvQo=..H
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96PMurgrN227HZ+8RAlXPAJ9pYN5kEn5mKdXwTEDycRYMORx5rwCeJ4JV
Fi58mWZ7n3+weqyjOHMHQrU=790y
-----END PGP SIGNATURE-----

--B.FumB:TTvQo=..H--

--=.diRhZI9jgQd/Yw
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 30 Nov 2002 11:19:37 -0600 Homer Parker <hparker@homershut.net>
wrote....
> On Sat, 30 Nov 2002 01:01:26 -0800 Jim C <jcllings@tsunamicomm.net>
> wrote....
> 
> > The problem was that I could get the firewall to work and I could get 
> > Internet Connection Shareing to work also but I couldn''t get
them to
> > like Samba at all.  According to the docs port 445 is used by XP/2K to
> > 
> > access Server Message Block stuff.  The results I''ve gotten
would seem
> > 
> > to bear this out.
	Ok, typing before coffee is not a good thing... Usualy results in
hunk-o-sock for breakfast... In policy, I have:

dmz             gw1             ACCEPT
gw1             dmz             ACCEPT
loc             gw0             ACCEPT
gw0             loc             ACCEPT    

	So, everything is about as wide open as it can get on the link I''m
having
the problem on... Thanks for listening.. Now, where''s that coffee cup!
;)

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net


--=.diRhZI9jgQd/Yw
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96Pe+rgrN227HZ+8RAq3LAKDGiD61FGMWL0fVj5P5ubi6/AHybACdGM9U
Ef6sFvmxXK+RzJepqrXDSwk=bJIA
-----END PGP SIGNATURE-----

--=.diRhZI9jgQd/Yw--

I haven''t read this full thread, but SMB is on port
139, port 445 is for Microsoft directory service
stuff.  Of course, if thats what you are trying to do,
then cat /dev/nul > this mail.

ron
--- Homer Parker <hparker@homershut.net> 
> On Sat, 30 Nov 2002 01:01:26 -0800 Jim C
> <jcllings@tsunamicomm.net>
> wrote....
> 
> > The problem was that I could get the firewall to
> work and I could get 
> > Internet Connection Shareing to work also but I
> couldn''t get them to 
> > like Samba at all.  According to the docs port 445
> is used by XP/2K to 
> > access Server Message Block stuff.  The results
> I''ve gotten would seem 
> > to bear this out.
> > 
> > Mapping, huh?  Make sure you got smbd configured
> for the right kind of 
> > shareing.  SWAT says this is important.  Other
> than that I''m not really 
> > up on mapping. ;-)
> 
> 	I wish it was Samba on the other end... Client is
> XP Home, server is
> 2000... I will open 445 accross there, and see if
> that helps... Can''t hurt
> ;) Thanks for the pointer, will let you know if it
> helps the problem..
> 
> --- 
> Homer Parker
> 
> http://www.homershut.net
> telnet://bbs.homershut.net
> 
> This e-mail message is 100% Microsoft free!
> 
> WARNING: THIS ACCOUNT BELONGS TO A RABID
> ANTI-SPAMMER NET-NAZI DOT-COMMUNIST.
> 
>    /"\
>    \ /     ASCII Ribbon Campaign
>     X      Against HTML Mail
>    / \
> 
> ATTACHMENT part 2 application/pgp-signature 


====Ron Heron
2429 Riviera Drive
Chula Vista, CA 91915
619-397-3575 (Home)
619-772-3603 (Cell)