Rowland, OK. Should I delete these lines? diff yours mine 63d62 yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 85,87d83 yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 92c88 ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------------- Edit these lines to be the same as yours yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 108,109c106,107 yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT You have a few lines I don't have, I have a line that you do not have, but it is very similar to one of yours and I am allow access to Samba from anywhere, but you are limiting it to '192.168.x.x' Are the numbers between the lines part of the line above? How do I make the changes? Thanks for your patience. We will resolve this issue yet. Regards, Marty -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: Thursday, February 7, 2019 3:38 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba and ufw On Wed, 6 Feb 2019 16:05:40 -0500 Martin McGlensey via samba <samba at lists.samba.org> wrote:> Rowland, > > Did some editing in smb.conf that I had to reverse. Now I'm back to > being able to connect with the firewall disabled. When I enable the > firewall I get as far as windows network -> workgroup but no > connection. I have only the rules you recommended in your last email. >Running 'diff' against your rules and mine produces this: diff yours mine 63d62 yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 85,87d83 yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 92c88 yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " --- mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 108,109c106,107 yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT --- mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT You have a few lines I don't have, I have a line that you do not have, but it is very similar to one of yours and I am allow access to Samba from anywhere, but you are limiting it to '192.168.x.x' Rowland
On Thu, 7 Feb 2019 09:31:41 -0500 <mmcg29440 at frontier.com> wrote:> Rowland, > > OK. Should I delete these lines? > > diff yours mine > 63d62 > yours# -A ufw-after-logging-output -m limit --limit 3/min > --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " > 85,87d83 > yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] > " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] > " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] > " 92c88 > ---------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > ------------------------------------------- > > Edit these lines to be the same as yours > > yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit > --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT > INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID > -m limit --limit 3/min --limit-burst 10 -j RETURN > 108,109c106,107 > yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport > --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT > yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport > --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT > mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m > comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input > -p tcp -m multiport --dports 139,445 -m comment --comment > "\'dapp_Samba\'" -j ACCEPT > > > You have a few lines I don't have, I have a line that you do not > have, but it is very similar to one of yours and I am allow access to > Samba from anywhere, but you are limiting it to '192.168.x.x' > > Are the numbers between the lines part of the line above? How do I > make the changes?You have '-s 192.168.0.0/16', I don't, it means you are only allowing connections from 192.168.0.0 to 192.168.255.255, I am allowing them from anywhere. I am by no means a firewall expert, I just know what works for me. This isn't really a Samba problem, it works without the firewall, you really need to find a firewall expert, perhaps trying on the Ubuntu mailing list might be an idea.> > Thanks for your patience. We will resolve this issue yet. >I do hope you fix this, but I don't think I can help further with this, perhaps Louis has some further thoughts. Rowland
Yes, Try this ( copy past-able. ) ufw disable ufw reset ufw limit 22/tcp ufw allow in proto tcp from any port 389,1024:65535 to any port 1024:65535 ufw allow 139,445/tcp ufw allow 137,138/udp ufw --force enable Sorry for the late reply, but im bit busy with some servers here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 7 februari 2019 15:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba and ufw > > On Thu, 7 Feb 2019 09:31:41 -0500 > <mmcg29440 at frontier.com> wrote: > > > Rowland, > > > > OK. Should I delete these lines? > > > > diff yours mine > > 63d62 > > yours# -A ufw-after-logging-output -m limit --limit 3/min > > --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " > > 85,87d83 > > yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m > > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix > "[UFW AUDIT] > > " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m > > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix > "[UFW AUDIT] > > " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m > > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix > "[UFW AUDIT] > > " 92c88 > > > -------------------------------------------------------------- > -------------- > > > -------------------------------------------------------------- > -------------- > > ------------------------------------------- > > > > Edit these lines to be the same as yours > > > > yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit > > --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT > > INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID > > -m limit --limit 3/min --limit-burst 10 -j RETURN > > 108,109c106,107 > > yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport > > --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT > > yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport > > --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT > > mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m > > comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input > > -p tcp -m multiport --dports 139,445 -m comment --comment > > "\'dapp_Samba\'" -j ACCEPT > > > > > > You have a few lines I don't have, I have a line that you do not > > have, but it is very similar to one of yours and I am allow > access to > > Samba from anywhere, but you are limiting it to '192.168.x.x' > > > > Are the numbers between the lines part of the line above? How do I > > make the changes? > > You have '-s 192.168.0.0/16', I don't, it means you are only allowing > connections from 192.168.0.0 to 192.168.255.255, I am > allowing them from > anywhere. > > I am by no means a firewall expert, I just know what works > for me. This > isn't really a Samba problem, it works without the firewall, > you really > need to find a firewall expert, perhaps trying on the Ubuntu mailing > list might be an idea. > > > > > Thanks for your patience. We will resolve this issue yet. > > > > I do hope you fix this, but I don't think I can help further > with this, > perhaps Louis has some further thoughts. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai, A more complete mail, but Marty, please run the commands first.(see: ** below ) Then we can determin whats exact going on. This must be done first to make sure no old rules are causing the problem thats why the reset. I removed the ip ranges in that mail because, we dont know your lan range, so change ipnumers to your lan range if needed/where needed. When these below work, then we can restrict it more. ** Test with these. ufw disable ufw reset ufw limit 22/tcp ufw allow in proto tcp from any port 389,1024:1300,49152:65535 to any port 1024:1300,49152:65535 ufw allow 139,445/tcp ufw allow 137,138/udp ufw --force enable ** For example: # allow a DC connection # ufw allow in proto tcp from IP_DC port 389,1024:1300,49152:65535 to IP_MEMBER port 1024:1300,49152:65535 # in on interace from ... ufw allow in on eno1 proto tcp from any port 389,1024:1300,49152:65535 to any port 1024:1300,49152:65535 I deny all in/out/routed traffic, if you allow outgoing (type: ufw allow outgoing thats the default), then only the IN lines are sufficient ofcourse. Setting : ufw logging high or medium shows a lot more in the logs, syslog and/or /var/log/ufw.log if enabled in /etc/rsyslog.d/20-ufw.conf I've enabled : & stop because i preffer my firewall logs in only /var/log/ufw.log If you testing Marty, set ufw logging medium ## These are my latest tested and working/production rules. ## Setup is, define the AD-DC servers IP's and allow all ips on the member servers. I've done that so the ipnumbers of the members running this, are changeable, without the need of changing the firewall. Something for you to play with. ;-) and the order here DOES matter a lot. Ips : 192.168.0.1 and 192.168.0.2 are my example ipnumbers of the DC's. Example. ufw allow 137,138 ufw allow 137,138/udp ufw allow in on INTERFACE proto PROTOCOL from (any = 0.0.0.0/0) to (any 0.0.0.0/0) port PORTNR If you trust you lan, it just that i dont trust anything and best is to ignore that im doing that for now. ;-) # Allow everything from you lang to you server. ufw allow in from LAN_RANGE/24 Or with multple interfaces # Allow on INTERFACE everything from you lan to you server ufw allow in on INTERFACE from LAN_RANGE/24 # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage # IN From Samba AD-DC (2dc's setup) to member ( allows samba before 4.7) ufw allow in proto tcp from 192.168.0.1 port 389,1024:1300 to any port 1024:1300 ufw allow in proto tcp from 192.168.0.2 port 389,1024:1300 to any port 1024:1300 # IN From Samba AD-DC (2dc's) to member ( allows samba 4.7+) ufw allow in proto tcp from 192.168.0.1 port 389,49152:65535 to any port 49152:65535 ufw allow in proto tcp from 192.168.0.2 port 389,49152:65535 to any port 49152:65535 # OUT From member1 to DC1 ufw allow out proto udp from any port 1024:65535 to 192.168.0.1 port 137,138 ufw allow out proto tcp from any port 1024:65535 to 192.168.0.1 port 135,139,445,636,3268,3269 ufw allow out proto udp from any port 53,1024:1300,49152:65535 to 192.168.0.1 port 53,88,123,389,464,1024:1300,49152:65535 ufw allow out proto tcp from any port 53,1024:1300,49152:65535 to 192.168.0.1 port 53,88,123,389,464,1024:1300,49152:65535 # OUT From member1 to DC2 ufw allow out proto udp from any port 1024:1300,49152:65535 to 192.168.0.2 port 137,138 ufw allow out proto tcp from any port 1024:1300,49152:65535 to 192.168.0.2 port 135,139,445,636,3268,3269 ufw allow out proto udp from any port 53,1024:1300,49152:65535 to 192.168.0.2 port 53,88,123,389,464,1024:1300,49152:65535 ufw allow out proto tcp from any port 53,1024:1300,49152:65535 to 192.168.0.2 port 53,88,123,389,464,1024:1300,49152:65535 # https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage # IN on INTERACE (eno1) From Lan TO this domain member/file server ufw allow in on eno1 proto tcp from 192.168.0.0/24 to any port 139,445 comment 'Allow in on eno1 port 139,445 (CIFS)' ufw allow in on eno1 proto udp from 192.168.0.0/24 to any port 137,138 comment 'Allow in on eno1 port 137,138 (BROWSER)' Back to my horrible openoffice online ... Crapy documentation. Need to integrate it in my mail env and its a hard one. Prepairing to drop ms office completely. Whoehoo.. Good luck, i'll have look in the mailbox tomorrow again. Greetz. Louis Ps. There might be some typos above this line, so test carefully. And after a reset, your first line to enter is ALWAYS .. Allow ssh access...