Every few minutes I get packest like these, one from every windows workstation on the local net (eth1): May 9 13:29:03 norcomix kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:a0:c9:cf:73:8c:00:10:4b:6a:ae:e7:08:00 SRC=192.168.2.14 DST=192.168.2.80 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=28063 PROTO=UDP SPT=137 DPT=42200 LEN=70 I have these rules to accommodate samba: # Samba server internal access only # ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 So what are these rejects, and why does the above rule (3rd one) not accept them? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Thu, 9 May 2002, John Andersen wrote:> Every few minutes I get packest like these, one from every windows workstation on the local net (eth1): > > May 9 13:29:03 norcomix kernel: Shorewall:all2all:REJECT:IN=eth1 OUT> MAC=00:a0:c9:cf:73:8c:00:10:4b:6a:ae:e7:08:00 SRC=192.168.2.14 DST=192.168.2.80 > LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=28063 PROTO=UDP SPT=137 DPT=42200 LEN=70 > > I have these rules to accommodate samba: > > # Samba server internal access only > # > ACCEPT fw loc udp 137:139 > ACCEPT fw loc tcp 137,139 > ACCEPT loc fw udp 137:139 > ACCEPT loc fw tcp 137,139 > > So what are these rejects, and why does the above rule (3rd one) > not accept them? >Because in the packet being rejected, the SOURCE port is 137 and rule three passes packets with DESTINATION port 137. The packet should actually be passed as a consequence of the first rule assuming that Samba on your firewall sent a request from port 42200 -> port 137 on 192.168.2.14 recently. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 9 May 2002 at 15:47, Tom Eastep wrote:> On Thu, 9 May 2002, John Andersen wrote: > > > Every few minutes I get packest like these, one from every windows > > workstation on the local net (eth1): > > > > May 9 13:29:03 norcomix kernel: Shorewall:all2all:REJECT:IN=eth1 >> OUT> > MAC=00:a0:c9:cf:73:8c:00:10:4b:6a:ae:e7:08:00 SRC=192.168.2.14 > > DST=192.168.2.80 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=28063 PROTO=UDP > > SPT=137 DPT=42200 LEN=70 > > Because in the packet being rejected, the SOURCE port is 137 and rule > three passes packets with DESTINATION port 137. The packet should >actually be passed as a consequence of the first rule assuming that > Samba on your firewall sent a request from port 42200 -> port 137 on > 192.168.2.14 recently.Ok, hang with me and sooner or later I will figure out the correct question to ask.... ;-) Considering that there were no rejects near this time period for anything other than the above (and one from each workstation to the server), I can only assume that if the samba server did send such a packet it was accepted. But this packet was not, so presumably rule 1 did not permit it as you postulate above and the policy rejected it. Now I could put in a rule (or policy) to allow all loc to fw but I hesitate to do this. I''d rather find out why all my work stations decided to send a packet to the FW at the same time. Prior instances of this had different destination port numbers but always in the 41k range. Would a browser election cause this? Browse list refresh? Do other folks running samba on the Fw see these? (I cribbed the samba rules in the prior post from the web page). ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Thu, 9 May 2002, John Andersen wrote:> > But this packet was not, so presumably rule 1 did not permit > it as you postulate above and the policy rejected it. > > Now I could put in a rule (or policy) to allow all loc to fw > but I hesitate to do this. I''d rather find out why all my work > stations decided to send a packet to the FW at the same > time. Prior instances of this had different destination port > numbers but always in the 41k range. > > Would a browser election cause this? > Browse list refresh? > > Do other folks running samba on the Fw see these? >There seems to be a problem with iptables and broadcasts although I was under the impression that broadcast/response worked properly -- I think what is happening is that your firewall is broadcasting on port 137 and all of your workstations are responding. Unfortunately, iptables doesn''t recognize the responses as being related to the broadcast. Another user recently had this problem. Since I have never seen the problem, the solution seems to be to configure one of your Samba systems as a WINS server (which I do here). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep > Sent: Thursday, May 09, 2002 7:06 PM > To: John Andersen > Cc: shorewall Users > Subject: Re: [Shorewall-users] Rejected packets Samba related? > > > On Thu, 9 May 2002, John Andersen wrote: > > > > > But this packet was not, so presumably rule 1 did not permit > > it as you postulate above and the policy rejected it. > > > > Now I could put in a rule (or policy) to allow all loc to fw > > but I hesitate to do this. I''d rather find out why all my work > > stations decided to send a packet to the FW at the same > > time. Prior instances of this had different destination port > > numbers but always in the 41k range. > > > > Would a browser election cause this? > > Browse list refresh? > > > > Do other folks running samba on the Fw see these? > > > > There seems to be a problem with iptables and broadcasts > although I was under the impression that broadcast/response > worked properly -- I think what is happening is that your > firewall is broadcasting on port 137 and all of your > workstations are responding. Unfortunately, iptables doesn''t > recognize the responses as being related to the broadcast. > > Another user recently had this problem. > > Since I have never seen the problem, the solution seems to be > to configure one of your Samba systems as a WINS server > (which I do here). >Also, try running ethereal. It should point out what Samba (nmb/smb) is doing on your network. I think you''ll be surprised at just how chatty netbios really is. Steve Cowles