My Firewall is also my samba server (I know, I know, not the best idea).
When I code the rules for SAMBA as shown on the web page
I get udp packets from the FW to LOC on port 137 blocked by the
all2all chain as shown below:
May 28 10:16:44 norcomix kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.2.80 DST=192.168.2.143
LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32787 LEN=70
Apparently the rules as shown on the web page are not sufficient to
allow all SMB packets to be transmitted. I think that this is because
they filter on destination port (which is 32787 in this example) rather
than source port.
Loss of these seems to cause LinNeighborhood a great deal of
grief as it refuses to browse the network any further. (Oddly these
are packets are not missed by the windows stations.
If I add a line in the POLICY file like this:
fw loc accept
These packets are no longer dropped and everything works.
Question: Is this dangerous? Is there a better way?
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
On Tue, 28 May 2002, John Andersen wrote:> > Question: Is this dangerous? Is there a better way? >John -- Search the email archives; this issue was exhaustively discussed recently. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 28 May 2002, John Andersen wrote:> My Firewall is also my samba server (I know, I know, not the best idea). > > When I code the rules for SAMBA as shown on the web page > I get udp packets from the FW to LOC on port 137 blocked by the > all2all chain as shown below: > > May 28 10:16:44 norcomix kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.2.80 DST=192.168.2.143 > LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32787 LEN=70 > > Apparently the rules as shown on the web page are not sufficient to > allow all SMB packets to be transmitted. I think that this is because > they filter on destination port (which is 32787 in this example) rather > than source port. > > Loss of these seems to cause LinNeighborhood a great deal of > grief as it refuses to browse the network any further. (Oddly these > are packets are not missed by the windows stations. > > If I add a line in the POLICY file like this: > fw loc accept > > These packets are no longer dropped and everything works. > > Question: Is this dangerous? Is there a better way? >I''ve updated http://www.shorewall.net/samba.htm to include additional rules. The problem is that Netfilter doesn''t track broadcasts so responses to broadcasts to not match ESTABLISHED,RELATED rules designed to handle response packets. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 29 May 2002 at 9:44, Tom Eastep wrote: > > Apparently the rules as shown on the web page are not sufficient to> > allow all SMB packets to be transmitted. > > Loss of these seems to cause LinNeighborhood a great deal of > > grief as it refuses to browse the network any further. (Oddly these > > are packets are not missed by the windows stations. > > > > If I add a line in the POLICY file like this: > > fw loc accept > > Question: Is this dangerous? Is there a better way? > > > > I''ve updated http://www.shorewall.net/samba.htm to include additional > rules. > > The problem is that Netfilter doesn''t track broadcasts so responses to > broadcasts to not match ESTABLISHED,RELATED rules designed to handle > response packets.Yes this works and has much less exposure. Trailing colon I assume means all higher ports? Thanks. Note to the documentaion group: The speckeled background on the web page makes it EASY to miss some punctuation (such as trailing colons). A bolder font or a different BG might help. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
On Wed, 29 May 2002, John Andersen wrote:> > > > I''ve updated http://www.shorewall.net/samba.htm to include additional > > rules. > > > > The problem is that Netfilter doesn''t track broadcasts so responses to > > broadcasts to not match ESTABLISHED,RELATED rules designed to handle > > response packets. > > Yes this works and has much less exposure. > Trailing colon I assume means all higher ports? >Yes. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 29 May 2002, John Andersen wrote:> > Note to the documentaion group: The speckeled background > on the web page makes it EASY to miss some punctuation > (such as trailing colons). A bolder font or a different BG might > help. >John -- do you find the new 1.3 BG/font easier to read? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 30 May 2002 at 12:50, Tom Eastep wrote:> On Wed, 29 May 2002, John Andersen wrote: > > > > > Note to the documentaion group: The speckeled background > > on the web page makes it EASY to miss some punctuation > > (such as trailing colons). A bolder font or a different BG might > > help. > > > > John -- do you find the new 1.3 BG/font easier to read? > > -TomOh yeah, its much easier to see the subtle periods etc. Not to mention Flashier too. ;-) ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/