Rowland, Did some editing in smb.conf that I had to reverse. Now I'm back to being able to connect with the firewall disabled. When I enable the firewall I get as far as windows network -> workgroup but no connection. I have only the rules you recommended in your last email. Louis, The information you requested is below: martin at radio:~$ dpkg -l|egrep "iptables|ufw" ii gufw 18.04.0-0ubuntu1 all graphical user interface for ufw ii iptables 1.6.1-2ubuntu2 amd64 administration tools for packet filtering and NAT ii ufw 0.35-5 all program for managing a Netfilter firewall martin at radio:~$ There are three profiles in my ufw Home, Office and public. THe rules are the same in each profile. martin at radio:~$ sudo iptables --list-rules [sudo] password for martin: Sorry, try again. [sudo] password for martin: -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N ufw-after-forward -N ufw-after-input -N ufw-after-logging-forward -N ufw-after-logging-input -N ufw-after-logging-output -N ufw-after-output -N ufw-before-forward -N ufw-before-input -N ufw-before-logging-forward -N ufw-before-logging-input -N ufw-before-logging-output -N ufw-before-output -N ufw-logging-allow -N ufw-logging-deny -N ufw-not-local -N ufw-reject-forward -N ufw-reject-input -N ufw-reject-output -N ufw-skip-to-policy-forward -N ufw-skip-to-policy-input -N ufw-skip-to-policy-output -N ufw-track-forward -N ufw-track-input -N ufw-track-output -N ufw-user-forward -N ufw-user-input -N ufw-user-limit -N ufw-user-limit-accept -N ufw-user-logging-forward -N ufw-user-logging-input -N ufw-user-logging-output -N ufw-user-output -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw-user-input -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT -A ufw-user-input -s 192.168.0.0/24 -p udp -m udp --dport 138 -j ACCEPT -A ufw-user-input -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT -A ufw-user-input -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT martin at radio:~$ Marty
On Wed, 6 Feb 2019 16:05:40 -0500 Martin McGlensey via samba <samba at lists.samba.org> wrote:> Rowland, > > Did some editing in smb.conf that I had to reverse. Now I'm back to > being able to connect with the firewall disabled. When I enable the > firewall I get as far as windows network -> workgroup but no > connection. I have only the rules you recommended in your last email. >Running 'diff' against your rules and mine produces this: diff yours mine 63d62 yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 85,87d83 yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 92c88 yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " --- mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 108,109c106,107 yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT --- mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT You have a few lines I don't have, I have a line that you do not have, but it is very similar to one of yours and I am allow access to Samba from anywhere, but you are limiting it to '192.168.x.x' Rowland
Rowland, OK. Should I delete these lines? diff yours mine 63d62 yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 85,87d83 yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 92c88 ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------------- Edit these lines to be the same as yours yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 108,109c106,107 yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT You have a few lines I don't have, I have a line that you do not have, but it is very similar to one of yours and I am allow access to Samba from anywhere, but you are limiting it to '192.168.x.x' Are the numbers between the lines part of the line above? How do I make the changes? Thanks for your patience. We will resolve this issue yet. Regards, Marty -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: Thursday, February 7, 2019 3:38 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba and ufw On Wed, 6 Feb 2019 16:05:40 -0500 Martin McGlensey via samba <samba at lists.samba.org> wrote:> Rowland, > > Did some editing in smb.conf that I had to reverse. Now I'm back to > being able to connect with the firewall disabled. When I enable the > firewall I get as far as windows network -> workgroup but no > connection. I have only the rules you recommended in your last email. >Running 'diff' against your rules and mine produces this: diff yours mine 63d62 yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 85,87d83 yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 92c88 yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " --- mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 108,109c106,107 yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT --- mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT You have a few lines I don't have, I have a line that you do not have, but it is very similar to one of yours and I am allow access to Samba from anywhere, but you are limiting it to '192.168.x.x' Rowland