Progress... On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:> After reading this thread.. and ..seeing the comments.. > > I googled a bit around. and yes.. more then 5 sec.. ;-) > > I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables service > now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw, > which is much more flexable in my opinion. > I just dont care about how it starts.. as long as it works.. > > so i found this one.. > http://www.certdepot.net/rhel7-get-started-firewalld/ > looks very nice, it explains all. > base on that, howto create a "samba4-ad" service with multiple ports in it. > or better, split it up in to.. > samba4-kerberos > samba4-smbd > samba4-nmbd > etc..I have looked at the actual /usr/lib/firewalld/services xml files and find that I should use: samba kerberos kpasswd dns ldap ldaps And need to create services for tcp ports 135 (rpc) and 3268 (MS Global Catalog), or just do those as ports. Still to be worked out are: what about ldap and ldaps over udp? And do I need a rule for port 1024? thanks> > The only thing i cant see there in the "HAProxy example" is you can > add multiple "port / protools" in there. > thats up to you. > > but i think you wil manage that. > > .. side note.. > Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you.. > ;-) Rowland is just not a "fan" of systemd.. ROFL... > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >> Verzonden: donderdag 27 augustus 2015 14:01 >> Aan: Robert Moskowitz >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba AD firewalld services >> >> The services and their port numbers and protocols are defined in >> /etc/services. You should be able to use that file to map from >> port numbers >> to services if you want to use the service names instead. This is not >> something new with firewalld, iptables has had this option >> forever as well. >> >> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >> <rgm at htt-consult.com> >> wrote: >> >>> Now with firewalld, opening up ports is now 'better' done by opening >>> services. So what do I need, for starters it seems: >>> >>> dns, dhcp, dhcpv6, samba, kerberos >>> >>> Here is the list of services: >>> >>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>> dhcpv6-client dns >>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>> kpasswd ldap >>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >> openvpn pmcd >>> pmproxy >>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>> samba-client >>> smtp ssh telnet tftp tftp-client transmission-client >> vnc-server wbem-https >>> I will only be running one AD, but a number of file servers (which in >>> Samba4 are really DCs without some services?) . >>> >>> thanks >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
On 27/08/15 14:25, Robert Moskowitz wrote:> Progress... > > On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >> After reading this thread.. and ..seeing the comments.. >> >> I googled a bit around. and yes.. more then 5 sec.. ;-) >> >> I wonder why almost every "centos/redhat/rpm based" howto removes >> firewalld with the base iptables service >> now, i'm not "pro" systemd or con systemd, i use it but i set my >> firewall with ufw, >> which is much more flexable in my opinion. >> I just dont care about how it starts.. as long as it works.. >> >> so i found this one.. >> http://www.certdepot.net/rhel7-get-started-firewalld/ >> looks very nice, it explains all. >> base on that, howto create a "samba4-ad" service with multiple ports >> in it. >> or better, split it up in to.. >> samba4-kerberos >> samba4-smbd >> samba4-nmbd >> etc.. > > I have looked at the actual /usr/lib/firewalld/services xml files and > find that I should use: > > samba kerberos kpasswd dns ldap ldaps > > And need to create services for tcp ports 135 (rpc) and 3268 (MS > Global Catalog), or just do those as ports. > > Still to be worked out are: > > what about ldap and ldaps over udp? And do I need a rule for port 1024? > > thanks > >> >> The only thing i cant see there in the "HAProxy example" is you can >> add multiple "port / protools" in there. >> thats up to you. >> >> but i think you wil manage that. >> >> .. side note.. >> Firewalling is not really a samba topic.. but we are all (yes Rowland >> to) happy to help you.. >> ;-) Rowland is just not a "fan" of systemd.. ROFL... >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >>> Verzonden: donderdag 27 augustus 2015 14:01 >>> Aan: Robert Moskowitz >>> CC: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Samba AD firewalld services >>> >>> The services and their port numbers and protocols are defined in >>> /etc/services. You should be able to use that file to map from >>> port numbers >>> to services if you want to use the service names instead. This is not >>> something new with firewalld, iptables has had this option >>> forever as well. >>> >>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >>> <rgm at htt-consult.com> >>> wrote: >>> >>>> Now with firewalld, opening up ports is now 'better' done by opening >>>> services. So what do I need, for starters it seems: >>>> >>>> dns, dhcp, dhcpv6, samba, kerberos >>>> >>>> Here is the list of services: >>>> >>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>>> dhcpv6-client dns >>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>>> kpasswd ldap >>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >>> openvpn pmcd >>>> pmproxy >>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>>> samba-client >>>> smtp ssh telnet tftp tftp-client transmission-client >>> vnc-server wbem-https >>>> I will only be running one AD, but a number of file servers (which in >>>> Samba4 are really DCs without some services?) . >>>> >>>> thanks >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > >Ah, This might help: https://wiki.samba.org/index.php/Samba_AD_DC_port_usage Didn't know it was there (probably because it wasn't, three days ago :-D ) Rowland
Oh, this really helps. See below, though. On 08/27/2015 09:33 AM, Rowland Penny wrote:> On 27/08/15 14:25, Robert Moskowitz wrote: >> Progress... >> >> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >>> After reading this thread.. and ..seeing the comments.. >>> >>> I googled a bit around. and yes.. more then 5 sec.. ;-) >>> >>> I wonder why almost every "centos/redhat/rpm based" howto removes >>> firewalld with the base iptables service >>> now, i'm not "pro" systemd or con systemd, i use it but i set my >>> firewall with ufw, >>> which is much more flexable in my opinion. >>> I just dont care about how it starts.. as long as it works.. >>> >>> so i found this one.. >>> http://www.certdepot.net/rhel7-get-started-firewalld/ >>> looks very nice, it explains all. >>> base on that, howto create a "samba4-ad" service with multiple ports >>> in it. >>> or better, split it up in to.. >>> samba4-kerberos >>> samba4-smbd >>> samba4-nmbd >>> etc.. >> >> I have looked at the actual /usr/lib/firewalld/services xml files and >> find that I should use: >> >> samba kerberos kpasswd dns ldap ldaps >> >> And need to create services for tcp ports 135 (rpc) and 3268 (MS >> Global Catalog), or just do those as ports. >> >> Still to be worked out are: >> >> what about ldap and ldaps over udp? And do I need a rule for port 1024? >> >> thanks >> >>> >>> The only thing i cant see there in the "HAProxy example" is you can >>> add multiple "port / protools" in there. >>> thats up to you. >>> >>> but i think you wil manage that. >>> >>> .. side note.. >>> Firewalling is not really a samba topic.. but we are all (yes >>> Rowland to) happy to help you.. >>> ;-) Rowland is just not a "fan" of systemd.. ROFL... >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >>>> Verzonden: donderdag 27 augustus 2015 14:01 >>>> Aan: Robert Moskowitz >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Samba AD firewalld services >>>> >>>> The services and their port numbers and protocols are defined in >>>> /etc/services. You should be able to use that file to map from >>>> port numbers >>>> to services if you want to use the service names instead. This is not >>>> something new with firewalld, iptables has had this option >>>> forever as well. >>>> >>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >>>> <rgm at htt-consult.com> >>>> wrote: >>>> >>>>> Now with firewalld, opening up ports is now 'better' done by opening >>>>> services. So what do I need, for starters it seems: >>>>> >>>>> dns, dhcp, dhcpv6, samba, kerberos >>>>> >>>>> Here is the list of services: >>>>> >>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>>>> dhcpv6-client dns >>>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>>>> kpasswd ldap >>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >>>> openvpn pmcd >>>>> pmproxy >>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>>>> samba-client >>>>> smtp ssh telnet tftp tftp-client transmission-client >>>> vnc-server wbem-https >>>>> I will only be running one AD, but a number of file servers (which in >>>>> Samba4 are really DCs without some services?) . >>>>> >>>>> thanks >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >> >> > > Ah, This might help: > https://wiki.samba.org/index.php/Samba_AD_DC_port_usageThere it is! Shows my weak search foo. Answers the udp ldap/s question. Couple new questions though. mDNS? Even if you are running DHCP which provides the Nameserver address? And again, the firewalld mdns service only specifies udp; no tcp. And what to do for ports 1024-5000? Open one? Open a few?> > Didn't know it was there (probably because it wasn't, three days ago > :-D )I suspect it was there, only edited 3 days ago.
mDNS is not DNS mDNS (zeroconf/avahi) ( used for .local and .lan reserved tlds ) is an apple thingy.. mDNS udp 5353 DNS tcp/udp 53. Yes, dns tcp + udp. If and dns udp package is to large it switches to tcp. got that from wiets ( the postfix developer ) So i must believe him.. wiets is great.. ( and dutch ) :-)) Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens >Robert Moskowitz >Verzonden: donderdag 27 augustus 2015 15:49 >Aan: Rowland Penny; samba at lists.samba.org >Onderwerp: Re: [Samba] Samba AD firewalld services > >Oh, this really helps. See below, though. > >On 08/27/2015 09:33 AM, Rowland Penny wrote: >> On 27/08/15 14:25, Robert Moskowitz wrote: >>> Progress... >>> >>> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >>>> After reading this thread.. and ..seeing the comments.. >>>> >>>> I googled a bit around. and yes.. more then 5 sec.. ;-) >>>> >>>> I wonder why almost every "centos/redhat/rpm based" howto removes >>>> firewalld with the base iptables service >>>> now, i'm not "pro" systemd or con systemd, i use it but i set my >>>> firewall with ufw, >>>> which is much more flexable in my opinion. >>>> I just dont care about how it starts.. as long as it works.. >>>> >>>> so i found this one.. >>>> http://www.certdepot.net/rhel7-get-started-firewalld/ >>>> looks very nice, it explains all. >>>> base on that, howto create a "samba4-ad" service with >multiple ports >>>> in it. >>>> or better, split it up in to.. >>>> samba4-kerberos >>>> samba4-smbd >>>> samba4-nmbd >>>> etc.. >>> >>> I have looked at the actual /usr/lib/firewalld/services xml >files and >>> find that I should use: >>> >>> samba kerberos kpasswd dns ldap ldaps >>> >>> And need to create services for tcp ports 135 (rpc) and 3268 (MS >>> Global Catalog), or just do those as ports. >>> >>> Still to be worked out are: >>> >>> what about ldap and ldaps over udp? And do I need a rule >for port 1024? >>> >>> thanks >>> >>>> >>>> The only thing i cant see there in the "HAProxy example" is you can >>>> add multiple "port / protools" in there. >>>> thats up to you. >>>> >>>> but i think you wil manage that. >>>> >>>> .. side note.. >>>> Firewalling is not really a samba topic.. but we are all (yes >>>> Rowland to) happy to help you.. >>>> ;-) Rowland is just not a "fan" of systemd.. ROFL... >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >>>>> Verzonden: donderdag 27 augustus 2015 14:01 >>>>> Aan: Robert Moskowitz >>>>> CC: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Samba AD firewalld services >>>>> >>>>> The services and their port numbers and protocols are defined in >>>>> /etc/services. You should be able to use that file to map from >>>>> port numbers >>>>> to services if you want to use the service names instead. >This is not >>>>> something new with firewalld, iptables has had this option >>>>> forever as well. >>>>> >>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >>>>> <rgm at htt-consult.com> >>>>> wrote: >>>>> >>>>>> Now with firewalld, opening up ports is now 'better' >done by opening >>>>>> services. So what do I need, for starters it seems: >>>>>> >>>>>> dns, dhcp, dhcpv6, samba, kerberos >>>>>> >>>>>> Here is the list of services: >>>>>> >>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>>>>> dhcpv6-client dns >>>>>> ftp high-availability http https imaps ipp ipp-client >ipsec kerberos >>>>>> kpasswd ldap >>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >>>>> openvpn pmcd >>>>>> pmproxy >>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius >rpc-bind samba >>>>>> samba-client >>>>>> smtp ssh telnet tftp tftp-client transmission-client >>>>> vnc-server wbem-https >>>>>> I will only be running one AD, but a number of file >servers (which in >>>>>> Samba4 are really DCs without some services?) . >>>>>> >>>>>> thanks >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> >>> >>> >> >> Ah, This might help: >> https://wiki.samba.org/index.php/Samba_AD_DC_port_usage > >There it is! Shows my weak search foo. Answers the udp ldap/s >question. Couple new questions though. > >mDNS? Even if you are running DHCP which provides the Nameserver >address? And again, the firewalld mdns service only specifies >udp; no tcp. > >And what to do for ports 1024-5000? Open one? Open a few? > > >> >> Didn't know it was there (probably because it wasn't, three days ago >> :-D ) > >I suspect it was there, only edited 3 days ago. > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >