FYI
Thanks, Steve!
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
---------- Forwarded message ----------
Date: Wed, 29 May 2002 16:32:14 -0500
From: "Cowles, Steve" <Steve@SteveCowles.com>
To: ''Tom Eastep'' <teastep@shorewall.net>
Subject: RE: [Shorewall-users] Samba
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Wednesday, May 29, 2002 11:45 AM
> To: John Andersen
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Samba
>
> I''ve updated http://www.shorewall.net/samba.htm to include
additional
> rules.
>
> The problem is that Netfilter doesn''t track broadcasts so
> responses to broadcasts to not match ESTABLISHED,RELATED rules
> designed to handle response packets.
Tom,
feel free to post this to the list, but hees my 2 cents on this topic.
Steve Cowles
I think the key to these new rule additions should be noted as follows:
Option 1) If you plan on browsing "from" the firewall to your LAN
(fw->loc),
then these new rules are needed. Especially if your using LinNeighborhood.
Option 2) If you are simply wanting your firewall to be visable (register
its workgroup affiliation) in Network Neighborhood and you plan on only
accessing shares on your firewall from MS clients located on your LAN
(loc->fw), then the original rules are all thats needed.
The latter is how my firewall is configured. i.e. I do not use
LinNeighborhood on my firewall or even see the need to browse from the
firewall. But I do transfer RPM files to my firewall using SMB.
These are the only rules I added to allow my firewall to particiapte in smb
transactions. From what I can tell, 445 is needed if your accessing your
firewall from a W2K systems.
ACCEPT fw loc udp 137,138
ACCEPT fw loc tcp 137:139,445
ACCEPT loc fw tcp 139,445