Having no success getting Samba to talk through Shorewall 1.3.4 on Red Hat Linux 7.3 (2.4.18-5). I''ve included relevant info below. I''m able to get my VPN/Ipsec tunnel established, and I''m able to ping other machines on my local (192.168.123.*) network, but I get the following errors in syslog when trying to ''smbmount'' a Windows machine: Jul 19 13:49:26 localhost kernel: Shorewall:all2all:DROP:IN=eth0 OUTMAC=<my mac here> SRC=192.168.123.101 DST=192.168.123.120 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27393 PROTO=UDP SPT=137 DPT=33205 LEN=70 Jul 19 13:49:26 localhost kernel: Shorewall:all2all:DROP:IN=eth0 OUTMAC=<my mac here> SRC=192.168.123.101 DST=192.168.123.120 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27649 PROTO=UDP SPT=137 DPT=33205 LEN=70 Jul 19 13:49:26 localhost kernel: Shorewall:all2all:DROP:IN=eth0 OUTMAC=<my mac here> SRC=192.168.123.101 DST=192.168.123.120 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27905 PROTO=UDP SPT=137 DPT=33205 LEN=70 So looks like a rule is screwy somewhere, any ideas? Here''s my config: interfaces: #ZONE INTERFACE BROADCAST OPTIONS - eth0 detect dhcp - tr0 detect norfc1918,dhcp - ipsec0 - - ppp0 - norfc1918 zones: #ZONE DISPLAY COMMENTS work Work Work Intranet: directly or via Ipsec net Net Internet loc Local Local networks hosts: #ZONE HOST(S) OPTIONS work eth0:y.y.y.y work eth0:x.x.x.x work tr0:0.0.0.0/0 work ipsec0:0.0.0.0/0 # Internet if connected at home via cable modem/DSL/... net eth0:0.0.0.0/0 loc eth0:192.168.123.0/24 policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT fw work ACCEPT fw loc ACCEPT all all DROP info rules: ACCEPT work fw 254 # Samba locally ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137
On 19 Jul 2002, Bill wrote:> #ZONE HOST(S) OPTIONS > work eth0:y.y.y.y > work eth0:x.x.x.x > work tr0:0.0.0.0/0 > work ipsec0:0.0.0.0/0 > # Internet if connected at home via cable modem/DSL/... > net eth0:0.0.0.0/0 > loc eth0:192.168.123.0/24 >The above is nonsense. If net includes eth0:0.0.0.0/0 then all traffic on eth0 (unless it comes from y.y.y.y or x.x.x.x) is assumed to come from the net zone. The last entry is useless and your traffic from 192.168.123.120 is being sent down the ''net2fw'' chain, not the ''loc2fw'' chain as your Samba rules seem the expect. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 19 Jul 2002, Tom Eastep wrote:> On 19 Jul 2002, Bill wrote: > > > #ZONE HOST(S) OPTIONS > > work eth0:y.y.y.y > > work eth0:x.x.x.x > > work tr0:0.0.0.0/0 > > work ipsec0:0.0.0.0/0 > > # Internet if connected at home via cable modem/DSL/... > > net eth0:0.0.0.0/0 > > loc eth0:192.168.123.0/24 > > > > The above is nonsense. If net includes eth0:0.0.0.0/0 then all traffic on > eth0 (unless it comes from y.y.y.y or x.x.x.x) is assumed to come from the > net zone. The last entry is useless and your traffic from 192.168.123.120 > is being sent down the ''net2fw'' chain, not the ''loc2fw'' chain as your > Samba rules seem the expect. >Remember - when you have nested or overlapping zones, the order in which the zones appear in /etc/shorewall/zones is significant. The sub-zone must appear before the super-zone. See http://www.shorewall.net/Documentation.htm#Nested -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 2002-07-19 at 15:50, Tom Eastep wrote:> Remember - when you have nested or overlapping zones, the order in which > the zones appear in /etc/shorewall/zones is significant. The sub-zone must > appear before the super-zone. > > See http://www.shorewall.net/Documentation.htm#NestedThe ordering in zones and hosts solved the problem. Thanks -Bill