Oh, this really helps. See below, though. On 08/27/2015 09:33 AM, Rowland Penny wrote:> On 27/08/15 14:25, Robert Moskowitz wrote: >> Progress... >> >> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >>> After reading this thread.. and ..seeing the comments.. >>> >>> I googled a bit around. and yes.. more then 5 sec.. ;-) >>> >>> I wonder why almost every "centos/redhat/rpm based" howto removes >>> firewalld with the base iptables service >>> now, i'm not "pro" systemd or con systemd, i use it but i set my >>> firewall with ufw, >>> which is much more flexable in my opinion. >>> I just dont care about how it starts.. as long as it works.. >>> >>> so i found this one.. >>> http://www.certdepot.net/rhel7-get-started-firewalld/ >>> looks very nice, it explains all. >>> base on that, howto create a "samba4-ad" service with multiple ports >>> in it. >>> or better, split it up in to.. >>> samba4-kerberos >>> samba4-smbd >>> samba4-nmbd >>> etc.. >> >> I have looked at the actual /usr/lib/firewalld/services xml files and >> find that I should use: >> >> samba kerberos kpasswd dns ldap ldaps >> >> And need to create services for tcp ports 135 (rpc) and 3268 (MS >> Global Catalog), or just do those as ports. >> >> Still to be worked out are: >> >> what about ldap and ldaps over udp? And do I need a rule for port 1024? >> >> thanks >> >>> >>> The only thing i cant see there in the "HAProxy example" is you can >>> add multiple "port / protools" in there. >>> thats up to you. >>> >>> but i think you wil manage that. >>> >>> .. side note.. >>> Firewalling is not really a samba topic.. but we are all (yes >>> Rowland to) happy to help you.. >>> ;-) Rowland is just not a "fan" of systemd.. ROFL... >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >>>> Verzonden: donderdag 27 augustus 2015 14:01 >>>> Aan: Robert Moskowitz >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Samba AD firewalld services >>>> >>>> The services and their port numbers and protocols are defined in >>>> /etc/services. You should be able to use that file to map from >>>> port numbers >>>> to services if you want to use the service names instead. This is not >>>> something new with firewalld, iptables has had this option >>>> forever as well. >>>> >>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >>>> <rgm at htt-consult.com> >>>> wrote: >>>> >>>>> Now with firewalld, opening up ports is now 'better' done by opening >>>>> services. So what do I need, for starters it seems: >>>>> >>>>> dns, dhcp, dhcpv6, samba, kerberos >>>>> >>>>> Here is the list of services: >>>>> >>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>>>> dhcpv6-client dns >>>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>>>> kpasswd ldap >>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >>>> openvpn pmcd >>>>> pmproxy >>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>>>> samba-client >>>>> smtp ssh telnet tftp tftp-client transmission-client >>>> vnc-server wbem-https >>>>> I will only be running one AD, but a number of file servers (which in >>>>> Samba4 are really DCs without some services?) . >>>>> >>>>> thanks >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >> >> > > Ah, This might help: > https://wiki.samba.org/index.php/Samba_AD_DC_port_usageThere it is! Shows my weak search foo. Answers the udp ldap/s question. Couple new questions though. mDNS? Even if you are running DHCP which provides the Nameserver address? And again, the firewalld mdns service only specifies udp; no tcp. And what to do for ports 1024-5000? Open one? Open a few?> > Didn't know it was there (probably because it wasn't, three days ago > :-D )I suspect it was there, only edited 3 days ago.
On 27/08/15 14:49, Robert Moskowitz wrote:> Oh, this really helps. See below, though. > > On 08/27/2015 09:33 AM, Rowland Penny wrote: >> On 27/08/15 14:25, Robert Moskowitz wrote: >>> Progress... >>> >>> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote: >>>> After reading this thread.. and ..seeing the comments.. >>>> >>>> I googled a bit around. and yes.. more then 5 sec.. ;-) >>>> >>>> I wonder why almost every "centos/redhat/rpm based" howto removes >>>> firewalld with the base iptables service >>>> now, i'm not "pro" systemd or con systemd, i use it but i set my >>>> firewall with ufw, >>>> which is much more flexable in my opinion. >>>> I just dont care about how it starts.. as long as it works.. >>>> >>>> so i found this one.. >>>> http://www.certdepot.net/rhel7-get-started-firewalld/ >>>> looks very nice, it explains all. >>>> base on that, howto create a "samba4-ad" service with multiple >>>> ports in it. >>>> or better, split it up in to.. >>>> samba4-kerberos >>>> samba4-smbd >>>> samba4-nmbd >>>> etc.. >>> >>> I have looked at the actual /usr/lib/firewalld/services xml files >>> and find that I should use: >>> >>> samba kerberos kpasswd dns ldap ldaps >>> >>> And need to create services for tcp ports 135 (rpc) and 3268 (MS >>> Global Catalog), or just do those as ports. >>> >>> Still to be worked out are: >>> >>> what about ldap and ldaps over udp? And do I need a rule for port >>> 1024? >>> >>> thanks >>> >>>> >>>> The only thing i cant see there in the "HAProxy example" is you can >>>> add multiple "port / protools" in there. >>>> thats up to you. >>>> >>>> but i think you wil manage that. >>>> >>>> .. side note.. >>>> Firewalling is not really a samba topic.. but we are all (yes >>>> Rowland to) happy to help you.. >>>> ;-) Rowland is just not a "fan" of systemd.. ROFL... >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair >>>>> Verzonden: donderdag 27 augustus 2015 14:01 >>>>> Aan: Robert Moskowitz >>>>> CC: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Samba AD firewalld services >>>>> >>>>> The services and their port numbers and protocols are defined in >>>>> /etc/services. You should be able to use that file to map from >>>>> port numbers >>>>> to services if you want to use the service names instead. This is not >>>>> something new with firewalld, iptables has had this option >>>>> forever as well. >>>>> >>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz >>>>> <rgm at htt-consult.com> >>>>> wrote: >>>>> >>>>>> Now with firewalld, opening up ports is now 'better' done by opening >>>>>> services. So what do I need, for starters it seems: >>>>>> >>>>>> dns, dhcp, dhcpv6, samba, kerberos >>>>>> >>>>>> Here is the list of services: >>>>>> >>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 >>>>>> dhcpv6-client dns >>>>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos >>>>>> kpasswd ldap >>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp >>>>> openvpn pmcd >>>>>> pmproxy >>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba >>>>>> samba-client >>>>>> smtp ssh telnet tftp tftp-client transmission-client >>>>> vnc-server wbem-https >>>>>> I will only be running one AD, but a number of file servers >>>>>> (which in >>>>>> Samba4 are really DCs without some services?) . >>>>>> >>>>>> thanks >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> >>> >>> >> >> Ah, This might help: >> https://wiki.samba.org/index.php/Samba_AD_DC_port_usage > > There it is! Shows my weak search foo. Answers the udp ldap/s > question. Couple new questions though. > > mDNS? Even if you are running DHCP which provides the Nameserver > address? And again, the firewalld mdns service only specifies udp; no > tcp.mDNS is also known as avahi, it is really an apple thing ported to Linux, amongst other things, it is the reason not to use the .local tld.> > And what to do for ports 1024-5000? Open one? Open a few?Nope, you need them all open.> > > >> >> Didn't know it was there (probably because it wasn't, three days ago >> :-D ) > > I suspect it was there, only edited 3 days ago. >Nope, it was written on the 25th Aug 2015 by Marc Muehlfeld There is also another new page: https://wiki.samba.org/index.php/Samba_Member_Server_port_usage Rowland
Am 27.08.2015 um 15:49 schrieb Robert Moskowitz:> mDNS? Even if you are running DHCP which provides the Nameserver > address?different worlds, a DNS needs to be asked, mDNS "Bonjour provides a general method to discover services on a local area network" meaning your fileserver automatically appears in the Apple Finder to click and connect https://en.wikipedia.org/wiki/Bonjour_%28software%29 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150827/73c6c39a/signature.sig>
On 08/27/2015 09:55 AM, Reindl Harald wrote:> > > Am 27.08.2015 um 15:49 schrieb Robert Moskowitz: >> mDNS? Even if you are running DHCP which provides the Nameserver >> address? > > different worlds, a DNS needs to be asked, mDNS "Bonjour provides a > general method to discover services on a local area network" meaning > your fileserver automatically appears in the Apple Finder to click and > connect > > https://en.wikipedia.org/wiki/Bonjour_%28software%29All too familiar with Bonjour. Know the gang that invented it. Sigh. So as long as no Apple computers on my network, I SHOULD be ok without it :) Maybe it is a GOOD thing to block! (I have been anti-Apple since the Lisa marketing campaign!) Tough my question was more tcp also? Than mDNS yes/no. take care and thanks