On Thu, Apr 11, 2013 at 12:13 AM, Gregory Sloop <gregs at sloop.net>
wrote:
> I'll top post since you have...
>
> Hef:
> I don't think there is any way to change the ports - and you'd have
to
> change them on each client, as well as the server. [Is there even a
> way to do that on a Windows client!? Some reg-hack somewhere?]
>
I was misled by \\live.sysinternals.com, It turns out that service uses
webdav, not smb/cifs. The interface in windows for the 2 protocols is
nearly identical.
>
> I'm far from the expert here - as I can't imagine trying to move
the
> CIFS ports windows uses.
>
I don't know about cifs, but i have seen a lot of services have the ports
and servers moved around using DNS SRV records, including in windows
software. The ldap and kerberos services in a PDC are good examples of
this.
>
> And IMO, trying to do this, while streaming the CIFS data and login
> via the unprotected and vast-vagaries of the open internet - well that
> just seems pretty crazy to me.
>
Is CIFS data unencrypted or unprotected, or have some other vulnerability I
should be aware of?
I'm setting up a central auth system for a hackerspace. A lot of vagaries
of the internet come inside the private lan anyway. Non-secured networks
is just something I am going to have to handle.
>
> You'll have no idea what might be happening to the traffic, not to
> mention the security and integrity of the connections.
>
I was asuuming, perhaps incorrectly, that the data could be encrypted
without the need of a tunnel. I still assume that the ldap and kerberos
data is safe. If not I need to abondon this approach altogether.
> As was mentioned before...
> Is there some reason you're not running this over a tunnel of some
> sort? Even if you completely strip the encryption away [which seems
> like a nearly equally terrible idea] you'll at least know, that if the
> tunnel works at all, someone isn't messing with something inside the
> tunnel -
> it [the tunnel] is either up or down. And then you don't have to worry
> about Comcast filtering CIFS ports, or messing with the traffic with
> sandvine etc.
>
I am avoiding running a tunnel, but not refusing too. I felt the SRV
record approach was worth investigating.
The reason for avoiding using a tunnel is to reduce the overhead of adding
machines to the domain. Also, I havn't set up a vpn for this site yet.
>
> So, really - building a tunnel - even a simple one would be cheap and
> easy. Why make this so hard on yourself and burden everyone else with
> troubleshooting a problem that might have a million different issues
> that would be completely out of your control and would require hours
> and hours of troubleshooting to find, much less resolve.
>
I was trying to save the time of first establishing a vpn conneciton, and
then using services. I was trying to go straight to the using services
part.
Reducing troubleshooting is the goal I had with adjusting SRV records. I
have also heard of L2TP getting wonky if 2 users use it from behind the
same NAT. I am still concerned that adding a VPN increases complexity
instead of reduces it. You are probably right that I have no better
alternative at this point.
>
> [A couple of Routerboard's would do the trick, and if you don't
need
> huge levels of VPN throughput, a pair of RB750's are probably < $150
-
> just one example...]
> A VPN or other tunnel is really the only answer.
>
Agreed, I'm thinking of giving
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network a
shot before falling back to openvpn.
>
> I'm sure that's not the answer you want - but IMO, it's the
only
> reasonable answer.
>
Don't get me wrong, I really do appreciate your help.
>
> -Greg
>
> H> Looking at the dns srv records samba4 creates, I don't see any
that
> cover
> H> what smbd is using.
>
> H> Does anyone have a reference for what srv records affect what ports
> windows
> H> looks for for registering with a domain?
>
> H> How do I change the ports smbd is using?
>
> H> I know there is a way, because \\live.sysinternals.com\Tools works
> through
> H> the comcast filtered ports.
>
> H> --hef
>
>
> H> On Wed, Apr 10, 2013 at 9:07 AM, Chris Weiss <cweiss at
gmail.com> wrote:
>
> >> On Wed, Apr 10, 2013 at 8:52 AM, Hef <hef+samba at
pbrfrat.com> wrote:
> >>
> >>> After doing an nmap scan and some googling, I discovered
Comcast, One
> of
> >>> my
> >>> ISPs, blocks outgoing ports 135, 139, and 445.
> >>>
> >>> Does anyone know a good way around those ports being blocked?
> >>> Can I reassign them in samba, and then update srv records to
match?
> >>>
> >>>
> >> yes, use a VPN. smb over the wide internet is not a great idea.
it's a
> >> good thing that your ISP blocks those ports, it prevents viruses
from
> >> spreading over their networks, as well as reducing traffic from
infected
> >> machines trying to hack into machines that are not properly
firewalled.
> >>
>
> --
> Gregory Sloop, Principal: Sloop Network & Computer Consulting
> Voice: 503.251.0452 x82
> EMail: gregs at sloop.net
> http://www.sloop.net
> ---
>
>
Intentionally bottom posting now, I didn't realize it was an issue, I
normally just use the reply button in gmail.