JLB
2005-Feb-09 14:49 UTC
[Samba] Firewall piercing - The Specified network name is no longer available.
Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -------------------------------------------------------------------------- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet> close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -------------------------------------------------------------------------- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where "x.y.z.a" is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -------------------------------------------------- \\x.y.z.a\sharename The specified network name is no longer available. -------------------------------------------------- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net
Paul Gienger
2005-Feb-09 14:55 UTC
[Samba] Firewall piercing - The Specified network name is no longer available.
>I'm trying to set up one of my Unix machines at home so I can access my >stuff there via SMB from the Internet at large (read: from Windows-using >clients'). > >Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now 2. because your ISP probably blocks/filters those ports. 3. because it's a Bad Thing (TM)(R)(C) Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such.>I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by >Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway >device. > >I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. >Only port 139 actually responds to TCP connections (well, only port 139 >accepts a telnet, even from localhost. > >See: > >-------------------------------------------------------------------------- >-bash-2.05b# telnet localhost 137 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >telnet: connect to address 127.0.0.1: Connection refused >-bash-2.05b# telnet localhost 138 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >telnet: connect to address 127.0.0.1: Connection refused >-bash-2.05b# telnet localhost 139 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >Connected to localhost. >Escape character is '^]'. >^] >telnet> close >Connection closed. >-bash-2.05b# telnet localhost 445 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >telnet: connect to address 127.0.0.1: Connection refused >-------------------------------------------------------------------------- > >It should go without saying that this machine's Samba shares work >PERFECTLY WELL within the LAN. ;) > >Now, from the outside, I can telnet to port 139 on the machine just fine, >through both NAT devices. However, when I go Start, Run, >\\x.y.z.a\sharename (where "x.y.z.a" is the IP address-- not the FQDN-- of >the machine), Windows vomits up this unhelpful message: > > >-------------------------------------------------- >\\x.y.z.a\sharename >The specified network name is no longer available. >-------------------------------------------------- > >See: > >http://jlb.twu.net/tmp/unhelpful.png > >Any ideas? The client machine runs Windows 2000 Pro. > >-- >J. L. Blank, Systems Administrator, twu.net > >-- -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
JLB
2005-Feb-09 21:40 UTC
[Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, [ISO-8859-1] J?rn Nettingsmeier wrote:> > The chance of any random joker stumbling upon a dynamically allocated IP > > and h4x0ring into a password-protected share on a SPARC64 machine running > > OpenBSD with a recent version of Samba is .... > > > > ....slim. > > maybe, but this is such an abysmal solution that you should just forget > about it. how can somebody both geeky and security-concious enough to > run openbsd on a 64bit sparc even consider letting smb traffic out on > the internet ????Because I don't keep anything private on the share I'd be allowing out? Because I won't be flinging around private files even if I did have the private files there (and the filenames themselves contain nothing incriminating, even among my personal stuff)? Because the chance of someone sitting there with a packet sniffer between Joe Windows-using Client and my home box, watching for my personal shite is VERY slim? Because, as noted earlier, the chance of someone 0wning my SPARC64/OpenBSD box, with its recent version of Samba, REGARDLESS of how many SMB ports I open, is quite slim? Because the convenience I would gain (i.e. being able to access work-related files, MP3s, etc. without circumventing or bending ANY corporate "thou shalt not install anything" poolicies) would outweigh any miniscule risks?> > >>Spend a little time and set up a vpn endpoint on your box and just > >>forward the necessary ports over, i think openvpn is 5000. You'll be > >>much happier, sane, and protected as such. > > > > > > And I will make use of this on client machines with strict "Thou Shalt Not > > Install any Unauthorized Software" policies... how? > > wait. you have such a restrictive security policy (which you are > obviously willing to respect), and at the same time you want to bypass > the most basic security precautions by tunnelling the living shit out of > the firewall and having unprotected smb over the internet? > sorry, but this does not make sense at all.You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. The other side of the equation is my box at home, which has no such policy.> > > I've already set up zero-install Web-based telnet, zero-install Web-based > > MP3 players... I even concocted a zero-install CygWin workalike and > > keep it on my keychain USB drive... > > just keep putty and winscp on your keychain as well.Why do that, and leave suspicious entries in the run history, when you can do it right in the browser?> > > now I need a zero-install way to > > access my files via Windows machines. And that means SMB. NOT OpenVPN, > > OpenSSH, OpenVMS or any other "Open". > > talk to the guy who enforces the security policy at your site. this > should be worked out in a sane fashion, and your network admin will > benefit as well by not having to cope rogue tunnels and other weird stuff.I temp. I'm often at a client for one or two days. Not enough time to gain a rapport with the network person (who is often an idiot MCSE-type), much less to actually get him/her to work around the policy.> > i mean, you are a sysadmin too. if you say "no" to something on your > networks, you want that to mean "no", don't you? >I don't generally say "no", except where it's something possibly incriminating.> i have a policy here that people can use tunnels if they must, but i > require *notification* and want to give the users a quick run-down on > what not to do (anybody seen those funny ssh tunnels on port 25 with the > open-to-the-world switch on ? great fun indeed. "oh, i thought it's ok > since everything is encrypted, right?") > > > >-- J. L. Blank, Systems Administrator, twu.net
Ilia Chipitsine
2005-Feb-10 04:59 UTC
[Samba] Firewall piercing - The Specified network name is no longer available.
you can setup PPTP/VPN server and this eliminates need of using NAT.> Hi all. > > I'm trying to set up one of my Unix machines at home so I can access my > stuff there via SMB from the Internet at large (read: from Windows-using > clients'). > > I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by > Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway > device. > > I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. > Only port 139 actually responds to TCP connections (well, only port 139 > accepts a telnet, even from localhost. > > See: > > -------------------------------------------------------------------------- > -bash-2.05b# telnet localhost 137 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Connection refused > -bash-2.05b# telnet localhost 138 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Connection refused > -bash-2.05b# telnet localhost 139 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > ^] > telnet> close > Connection closed. > -bash-2.05b# telnet localhost 445 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Connection refused > -------------------------------------------------------------------------- > > It should go without saying that this machine's Samba shares work > PERFECTLY WELL within the LAN. ;) > > Now, from the outside, I can telnet to port 139 on the machine just fine, > through both NAT devices. However, when I go Start, Run, > \\x.y.z.a\sharename (where "x.y.z.a" is the IP address-- not the FQDN-- of > the machine), Windows vomits up this unhelpful message: > > > -------------------------------------------------- > \\x.y.z.a\sharename > The specified network name is no longer available. > -------------------------------------------------- > > See: > > http://jlb.twu.net/tmp/unhelpful.png > > Any ideas? The client machine runs Windows 2000 Pro. > > -- > J. L. Blank, Systems Administrator, twu.net > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >