Shorewall users - Apr 2002 - Question on samba/nmbd

Is shorewall configured by default to drop/reject udp broadcasts?

I''m trying to setup samba and my windows machines can''t see
the samba server
(which is also the firewall).  I see the following errors in log.nmbd:

[2002/04/14 20:55:32, 0] libsmb/nmblib.c:send_udp(777)
  Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
[2002/04/14 20:55:32, 0] nmbd/nmbd_packets.c:send_netbios_packet(174)
  send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
[2002/04/14 20:55:32, 0] nmbd/nmbd_namequery.c:query_name(257)
  query_name: Failed to send packet trying to query name OCTO<1d>

My policies are setup as:
#SOURCE         DESTINATION     POLICY          LOG LEVEL
loc             fw              DROP            info
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

Any help debugging would be appreciated.  I''m pretty much out of ideas
on
how to take this further.  I''ve scoured usenet and google and
haven''t found
anything helpful.

Thanks,
brian

Maybe add a line
fw     loc             ACCEPT            info
In terms of diagnosis I find the ''info'' very helpful to log
packets
to /var/log/messages.
I hope this helps,
John Leach



On Mon, 15 Apr 2002 11:57, Brian Fallik wrote:
> Is shorewall configured by default to drop/reject udp broadcasts?
>
> I''m trying to setup samba and my windows machines can''t
see the samba
> server (which is also the firewall).  I see the following errors in
> log.nmbd:
>
> [2002/04/14 20:55:32, 0] libsmb/nmblib.c:send_udp(777)
>   Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
> [2002/04/14 20:55:32, 0] nmbd/nmbd_packets.c:send_netbios_packet(174)
>   send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
> [2002/04/14 20:55:32, 0] nmbd/nmbd_namequery.c:query_name(257)
>   query_name: Failed to send packet trying to query name OCTO<1d>
>
> My policies are setup as:
> #SOURCE         DESTINATION     POLICY          LOG LEVEL
> loc             fw              DROP            info
> loc             net             ACCEPT
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> Any help debugging would be appreciated.  I''m pretty much out of
ideas on
> how to take this further.  I''ve scoured usenet and google and
haven''t found
> anything helpful.
>
> Thanks,
> brian
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
-- 
http://osware.net


Scanned for viruses at osware.net

Brian Fallik wrote:
> Is shorewall configured by default to drop/reject udp broadcasts?
Yes - see /etc/shorewall/common.def.  SMB is one of the services suppressed
there.
> I''m trying to setup samba and my windows machines can''t
see the samba server
> (which is also the firewall).
In case anyone hasn''t told you yet, that''s a bad idea.  :-) 
If it can be
avoided, you really don''t want to do it.
> I see the following errors in log.nmbd:
>
> [2002/04/14 20:55:32, 0] libsmb/nmblib.c:send_udp(777)
>   Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
> [2002/04/14 20:55:32, 0] nmbd/nmbd_packets.c:send_netbios_packet(174)
>   send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
> [2002/04/14 20:55:32, 0] nmbd/nmbd_namequery.c:query_name(257)
>   query_name: Failed to send packet trying to query name OCTO<1d>
>
> My policies are setup as:
> #SOURCE         DESTINATION     POLICY          LOG LEVEL
> loc             fw              DROP            info
> loc             net             ACCEPT
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
Your inbound traffic is likely being denied by the loc -> fw policy, and
outbound by all -> all.
> Any help debugging would be appreciated.
John''s tip on using a logging accept policy is a good one.
>  I''m pretty much out of ideas on
> how to take this further.
As a general rule, turning on logging on everything is a good approach.  You
need it to trace what is happening to each packet.  In this particular problem,
what you''re going to need to do is specifically allow SMB traffic with
a rule.
I use one like this:

ACCEPT          <server''s zone>:$SMB  <client''s
zone>            udp
137:139

Where the items in <> are the zones you want to talk between and $SMB is
the IP
address of the server, defined in your params file.  (If your zone is just one
host, you don''t need the $SMB part.)
--
Paul
http://paulgear.webhop.net

On Mon, 15 Apr 2002, Paul Gear wrote:
> Brian Fallik wrote:
>
> > Is shorewall configured by default to drop/reject udp broadcasts?
>
> Yes - see /etc/shorewall/common.def.  SMB is one of the services suppressed
> there.
Yes, but that''s only so that we don''t get flooded on this list
with
reports of people being "attacked" by their neighbor''s
windows systems.
The common chain gets applied AFTER rules from /etc/shorewall/rules and
BEFORE policies from /etc/shorewall/policy.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net