Hai, If you use that or the AD, then its incomplete, imo. Your missing ldaps (636) and the GC (ssl) 3268/3269) ports and maybe NTP (123/tcp) if installed. Maybe you dont need them, just an observation. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > Sadowski via samba > Verzonden: dinsdag 13 februari 2018 16:05 > Aan: Marc Muehlfeld > CC: Ing. Luis Felipe Domíngu. > Onderwerp: Re: [Samba] firewalld services to open for an ADDC > > On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld > <mmuehlfeld at samba.org> wrote: > > Hi Jeff, > > > > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: > >> So my question is what services or ports am I missing to open? > > > > AD DCs: > > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage > > perfect exactly what I was looking for > I found some docs about firewalld that the service files are kept in > /usr/lib/firewalld/services > so I did > [root at dc1 ~]# grep -e 139 -e 88 -e 445 > /usr/lib/firewalld/services/*.xml > /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > protocol="tcp" port="88"/> > /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > protocol="udp" port="88"/> > /usr/lib/firewalld/services/freeipa-ldap.xml: <port > protocol="tcp" port="88"/> > /usr/lib/firewalld/services/freeipa-ldap.xml: <port > protocol="udp" port="88"/> > /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" > port="138-139"/> > /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" > port="138-139"/> > /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" > port="445"/> > /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" > port="445"/> > /usr/lib/firewalld/services/kerberos.xml: <port > protocol="tcp" port="88"/> > /usr/lib/firewalld/services/kerberos.xml: <port > protocol="udp" port="88"/> > /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > port="139"/> > /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > port="445"/> > so by adding > > firewall-cmd --add-service=dns --permanent > firewall-cmd --add-service=samba --permanent > firewall-cmd --add-service=kerberos --permanent > firewall-cmd --reload > > I should have all the ports I need. > Thank you. > > > > > Domain members: > > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage > > > > > > Regards, > > Marc > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Hai, > > If you use that or the AD, then its incomplete, imo. > Your missing ldaps (636) and the GC (ssl) 3268/3269) ports and maybe NTP (123/tcp) if installed. > Maybe you dont need them, just an observation. >Oh I see I need to look at the ports in the chart not just the ones listed in the example. I'll add to my list.> > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff >> Sadowski via samba >> Verzonden: dinsdag 13 februari 2018 16:05 >> Aan: Marc Muehlfeld >> CC: Ing. Luis Felipe Domíngu. >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC >> >> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld >> <mmuehlfeld at samba.org> wrote: >> > Hi Jeff, >> > >> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: >> >> So my question is what services or ports am I missing to open? >> > >> > AD DCs: >> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >> >> perfect exactly what I was looking for >> I found some docs about firewalld that the service files are kept in >> /usr/lib/firewalld/services >> so I did >> [root at dc1 ~]# grep -e 139 -e 88 -e 445 >> /usr/lib/firewalld/services/*.xml >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >> protocol="tcp" port="88"/> >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >> protocol="udp" port="88"/> >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >> protocol="tcp" port="88"/> >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >> protocol="udp" port="88"/> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" >> port="138-139"/> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" >> port="138-139"/> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" >> port="445"/> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" >> port="445"/> >> /usr/lib/firewalld/services/kerberos.xml: <port >> protocol="tcp" port="88"/> >> /usr/lib/firewalld/services/kerberos.xml: <port >> protocol="udp" port="88"/> >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >> port="139"/> >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >> port="445"/> >> so by adding >> >> firewall-cmd --add-service=dns --permanent >> firewall-cmd --add-service=samba --permanent >> firewall-cmd --add-service=kerberos --permanent >> firewall-cmd --reload >> >> I should have all the ports I need. >> Thank you. >> >> > >> > Domain members: >> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage >> > >> > >> > Regards, >> > Marc >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai, Not complete yet, but functional, tested on debian Stretch. This is a bit what i use to setup every server. https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-ufw.sh Setup Ufw , in restrictive mode. Autodetects the AD DC's. Autodetects your mail server if MX is in the dns. Enable/disable ipv6 Enable ping out. Restrict logging to ufw. More to come, but its a work in progress, depends on which server im working. ;-) I'll have a look at the systemd firewall also, looks interesting. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com] > Verzonden: dinsdag 13 februari 2018 16:46 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] firewalld services to open for an ADDC > > On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > Hai, > > > > If you use that or the AD, then its incomplete, imo. > > Your missing ldaps (636) and the GC (ssl) 3268/3269) ports > and maybe NTP (123/tcp) if installed. > > Maybe you dont need them, just an observation. > > > > Oh I see I need to look at the ports in the chart not just the ones > listed in the example. > > I'll add to my list. > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > >> Sadowski via samba > >> Verzonden: dinsdag 13 februari 2018 16:05 > >> Aan: Marc Muehlfeld > >> CC: Ing. Luis Felipe Domíngu. > >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC > >> > >> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld > >> <mmuehlfeld at samba.org> wrote: > >> > Hi Jeff, > >> > > >> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: > >> >> So my question is what services or ports am I missing to open? > >> > > >> > AD DCs: > >> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage > >> > >> perfect exactly what I was looking for > >> I found some docs about firewalld that the service files > are kept in > >> /usr/lib/firewalld/services > >> so I did > >> [root at dc1 ~]# grep -e 139 -e 88 -e 445 > >> /usr/lib/firewalld/services/*.xml > >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > >> protocol="tcp" port="88"/> > >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > >> protocol="udp" port="88"/> > >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port > >> protocol="tcp" port="88"/> > >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port > >> protocol="udp" port="88"/> > >> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="tcp" > >> port="138-139"/> > >> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="udp" > >> port="138-139"/> > >> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="tcp" > >> port="445"/> > >> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="udp" > >> port="445"/> > >> /usr/lib/firewalld/services/kerberos.xml: <port > >> protocol="tcp" port="88"/> > >> /usr/lib/firewalld/services/kerberos.xml: <port > >> protocol="udp" port="88"/> > >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > >> port="139"/> > >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > >> port="445"/> > >> so by adding > >> > >> firewall-cmd --add-service=dns --permanent > >> firewall-cmd --add-service=samba --permanent > >> firewall-cmd --add-service=kerberos --permanent > >> firewall-cmd --reload > >> > >> I should have all the ports I need. > >> Thank you. > >> > >> > > >> > Domain members: > >> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage > >> > > >> > > >> > Regards, > >> > Marc > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, Feb 13, 2018 at 8:46 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: >> Hai, >> >> If you use that or the AD, then its incomplete, imo. >> Your missing ldaps (636) and the GC (ssl) 3268/3269) ports and maybe NTP (123/tcp) if installed. >> Maybe you dont need them, just an observation. >> > > Oh I see I need to look at the ports in the chart not just the ones > listed in the example. > > I'll add to my list. >So I went back and found [root at dc1 ~]# grep -e 53 -e 88 -e 135 -e 137 -e 138 -e 139 -e 389 -e 445 -e 464 -e 636 -e 49152 -e 65535 -e 3268 -e 3269 /usr/lib/firewalld/services/*.xml |sed "s/.*services\///" cfengine.xml: <port protocol="tcp" port="5308"/> dns.xml: <port protocol="tcp" port="53"/> dns.xml: <port protocol="udp" port="53"/> freeipa-ldaps.xml: <port protocol="tcp" port="88"/> freeipa-ldaps.xml: <port protocol="udp" port="88"/> freeipa-ldaps.xml: <port protocol="tcp" port="464"/> freeipa-ldaps.xml: <port protocol="udp" port="464"/> freeipa-ldaps.xml: <port protocol="tcp" port="636"/> freeipa-ldap.xml: <port protocol="tcp" port="88"/> freeipa-ldap.xml: <port protocol="udp" port="88"/> freeipa-ldap.xml: <port protocol="tcp" port="464"/> freeipa-ldap.xml: <port protocol="udp" port="464"/> freeipa-ldap.xml: <port protocol="tcp" port="389"/> freeipa-replication.xml: <port protocol="tcp" port="7389"/> freeipa-trust.xml: <port protocol="tcp" port="135"/> freeipa-trust.xml: <port protocol="tcp" port="138-139"/> freeipa-trust.xml: <port protocol="udp" port="138-139"/> freeipa-trust.xml: <port protocol="tcp" port="389"/> freeipa-trust.xml: <port protocol="udp" port="389"/> freeipa-trust.xml: <port protocol="tcp" port="445"/> freeipa-trust.xml: <port protocol="udp" port="445"/> freeipa-trust.xml: <port protocol="tcp" port="3268"/> kerberos.xml: <port protocol="tcp" port="88"/> kerberos.xml: <port protocol="udp" port="88"/> kpasswd.xml: <port protocol="tcp" port="464"/> kpasswd.xml: <port protocol="udp" port="464"/> ldaps.xml: <port protocol="tcp" port="636"/> ldap.xml: <port protocol="tcp" port="389"/> mdns.xml: <port protocol="udp" port="5353"/> ms-wbt.xml: <port protocol="tcp" port="3389"/> samba-client.xml: <port protocol="udp" port="137"/> samba-client.xml: <port protocol="udp" port="138"/> samba.xml: <port protocol="udp" port="137"/> samba.xml: <port protocol="udp" port="138"/> samba.xml: <port protocol="tcp" port="139"/> samba.xml: <port protocol="tcp" port="445"/> vdsm.xml: <port protocol="tcp" port="49152-49216"/> <!-- migration --> which gives me a few more. I now have firewall-cmd --add-service=dns --permanent firewall-cmd --add-service=samba --permanent firewall-cmd --add-service=kerberos --permanent firewall-cmd --add-service=ldap --permanent firewall-cmd --add-service=ldaps --permanent firewall-cmd --add-service=kpasswd --permanent firewall-cmd --add-service=ms-wbt --permanent firewall-cmd --add-service=freeipa-trust --permanent firewall-cmd --reload Do I need "Dynamic RPC Ports" and "Global Catalog SSL" ? It's odd that vdsm covers some of the Dynamic RPC Ports.>> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff >>> Sadowski via samba >>> Verzonden: dinsdag 13 februari 2018 16:05 >>> Aan: Marc Muehlfeld >>> CC: Ing. Luis Felipe Domíngu. >>> Onderwerp: Re: [Samba] firewalld services to open for an ADDC >>> >>> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld >>> <mmuehlfeld at samba.org> wrote: >>> > Hi Jeff, >>> > >>> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: >>> >> So my question is what services or ports am I missing to open? >>> > >>> > AD DCs: >>> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >>> >>> perfect exactly what I was looking for >>> I found some docs about firewalld that the service files are kept in >>> /usr/lib/firewalld/services >>> so I did >>> [root at dc1 ~]# grep -e 139 -e 88 -e 445 >>> /usr/lib/firewalld/services/*.xml >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >>> protocol="tcp" port="88"/> >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >>> protocol="udp" port="88"/> >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >>> protocol="tcp" port="88"/> >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >>> protocol="udp" port="88"/> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" >>> port="138-139"/> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" >>> port="138-139"/> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp" >>> port="445"/> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp" >>> port="445"/> >>> /usr/lib/firewalld/services/kerberos.xml: <port >>> protocol="tcp" port="88"/> >>> /usr/lib/firewalld/services/kerberos.xml: <port >>> protocol="udp" port="88"/> >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >>> port="139"/> >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >>> port="445"/> >>> so by adding >>> >>> firewall-cmd --add-service=dns --permanent >>> firewall-cmd --add-service=samba --permanent >>> firewall-cmd --add-service=kerberos --permanent >>> firewall-cmd --reload >>> >>> I should have all the ports I need. >>> Thank you. >>> >>> > >>> > Domain members: >>> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage >>> > >>> > >>> > Regards, >>> > Marc >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
You have some double.> freeipa-ldaps.xml: <port protocol="tcp" port="464"/> > freeipa-ldaps.xml: <port protocol="udp" port="464"/>> freeipa-ldap.xml: <port protocol="tcp" port="464"/> > freeipa-ldap.xml: <port protocol="udp" port="464"/>The correct one.> kpasswd.xml: <port protocol="tcp" port="464"/> > kpasswd.xml: <port protocol="udp" port="464"/>> -----Oorspronkelijk bericht----- > Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com] > Verzonden: dinsdag 13 februari 2018 17:08 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] firewalld services to open for an ADDC > > On Tue, Feb 13, 2018 at 8:46 AM, Jeff Sadowski > <jeff.sadowski at gmail.com> wrote: > > On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba > > <samba at lists.samba.org> wrote: > >> Hai, > >> > >> If you use that or the AD, then its incomplete, imo. > >> Your missing ldaps (636) and the GC (ssl) 3268/3269) ports > and maybe NTP (123/tcp) if installed. > >> Maybe you dont need them, just an observation. > >> > > > > Oh I see I need to look at the ports in the chart not just the ones > > listed in the example. > > > > I'll add to my list. > > > So I went back and found > [root at dc1 ~]# grep -e 53 -e 88 -e 135 -e 137 -e 138 -e 139 -e 389 -e > 445 -e 464 -e 636 -e 49152 -e 65535 -e 3268 -e 3269 > /usr/lib/firewalld/services/*.xml |sed "s/.*services\///" > cfengine.xml: <port protocol="tcp" port="5308"/> > dns.xml: <port protocol="tcp" port="53"/> > dns.xml: <port protocol="udp" port="53"/> > freeipa-ldaps.xml: <port protocol="tcp" port="88"/> > freeipa-ldaps.xml: <port protocol="udp" port="88"/> > freeipa-ldaps.xml: <port protocol="tcp" port="464"/> > freeipa-ldaps.xml: <port protocol="udp" port="464"/> > freeipa-ldaps.xml: <port protocol="tcp" port="636"/> > freeipa-ldap.xml: <port protocol="tcp" port="88"/> > freeipa-ldap.xml: <port protocol="udp" port="88"/> > freeipa-ldap.xml: <port protocol="tcp" port="464"/> > freeipa-ldap.xml: <port protocol="udp" port="464"/> > freeipa-ldap.xml: <port protocol="tcp" port="389"/> > freeipa-replication.xml: <port protocol="tcp" port="7389"/> > freeipa-trust.xml: <port protocol="tcp" port="135"/> > freeipa-trust.xml: <port protocol="tcp" port="138-139"/> > freeipa-trust.xml: <port protocol="udp" port="138-139"/> > freeipa-trust.xml: <port protocol="tcp" port="389"/> > freeipa-trust.xml: <port protocol="udp" port="389"/> > freeipa-trust.xml: <port protocol="tcp" port="445"/> > freeipa-trust.xml: <port protocol="udp" port="445"/> > freeipa-trust.xml: <port protocol="tcp" port="3268"/> > kerberos.xml: <port protocol="tcp" port="88"/> > kerberos.xml: <port protocol="udp" port="88"/> > kpasswd.xml: <port protocol="tcp" port="464"/> > kpasswd.xml: <port protocol="udp" port="464"/> > ldaps.xml: <port protocol="tcp" port="636"/> > ldap.xml: <port protocol="tcp" port="389"/> > mdns.xml: <port protocol="udp" port="5353"/> > ms-wbt.xml: <port protocol="tcp" port="3389"/> > samba-client.xml: <port protocol="udp" port="137"/> > samba-client.xml: <port protocol="udp" port="138"/> > samba.xml: <port protocol="udp" port="137"/> > samba.xml: <port protocol="udp" port="138"/> > samba.xml: <port protocol="tcp" port="139"/> > samba.xml: <port protocol="tcp" port="445"/> > vdsm.xml: <port protocol="tcp" port="49152-49216"/> <!-- > migration --> > > which gives me a few more. I now have > > firewall-cmd --add-service=dns --permanent > firewall-cmd --add-service=samba --permanent > firewall-cmd --add-service=kerberos --permanent > firewall-cmd --add-service=ldap --permanent > firewall-cmd --add-service=ldaps --permanent > firewall-cmd --add-service=kpasswd --permanent > firewall-cmd --add-service=ms-wbt --permanent > firewall-cmd --add-service=freeipa-trust --permanent > firewall-cmd --reload > > Do I need "Dynamic RPC Ports" and "Global Catalog SSL" ? > It's odd that vdsm covers some of the Dynamic RPC Ports. > > > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > >>> Sadowski via samba > >>> Verzonden: dinsdag 13 februari 2018 16:05 > >>> Aan: Marc Muehlfeld > >>> CC: Ing. Luis Felipe Domíngu. > >>> Onderwerp: Re: [Samba] firewalld services to open for an ADDC > >>> > >>> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld > >>> <mmuehlfeld at samba.org> wrote: > >>> > Hi Jeff, > >>> > > >>> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: > >>> >> So my question is what services or ports am I missing to open? > >>> > > >>> > AD DCs: > >>> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage > >>> > >>> perfect exactly what I was looking for > >>> I found some docs about firewalld that the service files > are kept in > >>> /usr/lib/firewalld/services > >>> so I did > >>> [root at dc1 ~]# grep -e 139 -e 88 -e 445 > >>> /usr/lib/firewalld/services/*.xml > >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > >>> protocol="tcp" port="88"/> > >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port > >>> protocol="udp" port="88"/> > >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port > >>> protocol="tcp" port="88"/> > >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port > >>> protocol="udp" port="88"/> > >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="tcp" > >>> port="138-139"/> > >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="udp" > >>> port="138-139"/> > >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="tcp" > >>> port="445"/> > >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port > protocol="udp" > >>> port="445"/> > >>> /usr/lib/firewalld/services/kerberos.xml: <port > >>> protocol="tcp" port="88"/> > >>> /usr/lib/firewalld/services/kerberos.xml: <port > >>> protocol="udp" port="88"/> > >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > >>> port="139"/> > >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" > >>> port="445"/> > >>> so by adding > >>> > >>> firewall-cmd --add-service=dns --permanent > >>> firewall-cmd --add-service=samba --permanent > >>> firewall-cmd --add-service=kerberos --permanent > >>> firewall-cmd --reload > >>> > >>> I should have all the ports I need. > >>> Thank you. > >>> > >>> > > >>> > Domain members: > >>> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage > >>> > > >>> > > >>> > Regards, > >>> > Marc > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >
There ought to be a better way to do it than that. On Tue, Feb 13, 2018 at 9:07 AM, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Hai, > > Not complete yet, but functional, tested on debian Stretch. > > This is a bit what i use to setup every server. > > https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-ufw.sh > > Setup Ufw , in restrictive mode. > Autodetects the AD DC's. > Autodetects your mail server if MX is in the dns. > Enable/disable ipv6 > Enable ping out. > Restrict logging to ufw. > > More to come, but its a work in progress, depends on which server im working. ;-) > > I'll have a look at the systemd firewall also, looks interesting. > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com] >> Verzonden: dinsdag 13 februari 2018 16:46 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC >> >> On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba >> <samba at lists.samba.org> wrote: >> > Hai, >> > >> > If you use that or the AD, then its incomplete, imo. >> > Your missing ldaps (636) and the GC (ssl) 3268/3269) ports >> and maybe NTP (123/tcp) if installed. >> > Maybe you dont need them, just an observation. >> > >> >> Oh I see I need to look at the ports in the chart not just the ones >> listed in the example. >> >> I'll add to my list. >> >> > >> > Greetz, >> > >> > Louis >> > >> > >> > >> >> -----Oorspronkelijk bericht----- >> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff >> >> Sadowski via samba >> >> Verzonden: dinsdag 13 februari 2018 16:05 >> >> Aan: Marc Muehlfeld >> >> CC: Ing. Luis Felipe Domíngu. >> >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC >> >> >> >> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld >> >> <mmuehlfeld at samba.org> wrote: >> >> > Hi Jeff, >> >> > >> >> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba: >> >> >> So my question is what services or ports am I missing to open? >> >> > >> >> > AD DCs: >> >> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >> >> >> >> perfect exactly what I was looking for >> >> I found some docs about firewalld that the service files >> are kept in >> >> /usr/lib/firewalld/services >> >> so I did >> >> [root at dc1 ~]# grep -e 139 -e 88 -e 445 >> >> /usr/lib/firewalld/services/*.xml >> >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >> >> protocol="tcp" port="88"/> >> >> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port >> >> protocol="udp" port="88"/> >> >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >> >> protocol="tcp" port="88"/> >> >> /usr/lib/firewalld/services/freeipa-ldap.xml: <port >> >> protocol="udp" port="88"/> >> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port >> protocol="tcp" >> >> port="138-139"/> >> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port >> protocol="udp" >> >> port="138-139"/> >> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port >> protocol="tcp" >> >> port="445"/> >> >> /usr/lib/firewalld/services/freeipa-trust.xml: <port >> protocol="udp" >> >> port="445"/> >> >> /usr/lib/firewalld/services/kerberos.xml: <port >> >> protocol="tcp" port="88"/> >> >> /usr/lib/firewalld/services/kerberos.xml: <port >> >> protocol="udp" port="88"/> >> >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >> >> port="139"/> >> >> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp" >> >> port="445"/> >> >> so by adding >> >> >> >> firewall-cmd --add-service=dns --permanent >> >> firewall-cmd --add-service=samba --permanent >> >> firewall-cmd --add-service=kerberos --permanent >> >> firewall-cmd --reload >> >> >> >> I should have all the ports I need. >> >> Thank you. >> >> >> >> > >> >> > Domain members: >> >> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage >> >> > >> >> > >> >> > Regards, >> >> > Marc >> >> >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba