Stefan Drees
2003-Jun-07 09:05 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
Hello, i?m using shorewall for a long time. It is a great work, simple to use and very flexible. Thanks. But since i upgraded from version 1.3 to 1.4, my samba connections get lost from time to time. This problem consists also for connection to connections from a workstation over the firewall to a windows server in the DMZ. A downgrade to last 1.3 version solved the problem, but i think there must be another solution. Hope someone can help my. Thanks in advance. Here are my system information: Im using Debian 3.0r1, samba 2.2.3a and iptables 1.2.6a. 1) shorewall version = 1.4.2 (tried also 1.4.4b) 2) uname -a = Linux ics 2.4.20 #1 Tue May 6 16:14:27 CEST 2003 i586 unknown 3) ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:7d:95:14:ed brd ff:ff:ff:ff:ff:ff inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:b5:0d:05 brd ff:ff:ff:ff:ff:ff inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 217.225.238.114 peer 217.5.98.68/32 scope global ppp0 5: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10 link/ppp inet 10.64.64.64 peer 10.112.112.112/32 scope global ipsec0 6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 9: ippp1: <POINTOPOINT,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 30 link/ppp inet 10.0.0.1 peer 10.0.0.2/32 scope global ippp1 10: ippp2: <POINTOPOINT,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 30 link/ppp inet 10.0.0.1 peer 10.0.0.2/32 scope global ippp2 5) ip route show 10.0.0.2 dev ippp2 scope link 10.0.0.2 dev ippp1 scope link 217.5.98.68 dev ppp0 proto kernel scope link src 217.225.238.114 10.112.112.112 dev ipsec0 proto kernel scope link src 10.64.64.64 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254 192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.254 default via 217.5.98.68 dev ppp0 6) lsmod Module Size Used by Tainted: P ipt_TOS 1152 12 (autoclean) ipt_MASQUERADE 1312 1 (autoclean) ipt_ULOG 3552 11 (autoclean) ipt_REJECT 2944 2 (autoclean) ipt_state 640 86 (autoclean) iptable_mangle 2272 1 (autoclean) ip_nat_ftp 2944 0 (unused) iptable_nat 14388 2 [ipt_MASQUERADE ip_nat_ftp] ip_conntrack_ftp 3840 1 ip_conntrack 16524 3 [ipt_MASQUERADE ipt_state ip_nat_ftp iptable_nat ip_conntrack_ftp] iptable_filter 1792 1 (autoclean) ip_tables 10560 10 [ipt_TOS ipt_MASQUERADE ipt_ULOG ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter] nfsd 66720 8 (autoclean) parport_pc 11972 1 (autoclean) lp 5920 0 (autoclean) parport 13280 1 (autoclean) [parport_pc lp] ppp_deflate 2976 0 (autoclean) zlib_inflate 18368 0 (autoclean) [ppp_deflate] zlib_deflate 17664 0 (autoclean) [ppp_deflate] bsd_comp 4096 0 (autoclean) ipsec 237248 2 ppp_async 6432 1 (autoclean) ppp_generic 15180 3 (autoclean) [ppp_deflate bsd_comp ppp_async] slhc 4544 0 (autoclean) [ppp_generic] powerswitch 1020 0 (unused) hisax 141792 5 isdn 88512 6 [hisax] isa-pnp 28124 0 [hisax] 3c59x 24904 1 8139too 13760 1 mii 2288 0 [8139too] keybdev 1664 0 (unused) input 3072 0 [keybdev]
Tom Eastep
2003-Jun-08 17:43 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
On Sat, 7 Jun 2003 18:02:56 +0200, Stefan Drees <s_drees@t-online.de> wrote:> But since i upgraded from version 1.3 to 1.4, my samba connections get > lost > from time to time. > This problem consists also for connection to connections from a > workstation > over the firewall > to a windows server in the DMZ. > A downgrade to last 1.3 version solved the problem, but i think there > must > be another solution. > > Hope someone can help my.Are you saying that these connections work some times but other times they don''t? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Stefan Drees
2003-Jun-09 13:09 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
Yes, my samba server runs as domain controller. At login the samba share are connected via netlogon script. After ?? min. the connection get lost. I noticed these, because my E-Mail PST-File is saved on one of the shares. I try then 4-6 times to reconnect, before it is working again, for a little time. The problem exists also for connections over the firewall. Workstation connecting to shares on W2K Server in DMZ Zone. I think the problem is the background reconnect to the shares because of the W2K problem. For example the W2K workstation couldn?t connect to the shares via net use at workgroup logon (error message), but access over the windows explorer works. Hope this helps you a little bit. Thanks for your help. P.S. I?m sending these mail to shorewall-users list, too. -----Urspr?ngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Montag, 9. Juni 2003 02:43 An: Stefan Drees; shorewall-users@lists.shorewall.net Betreff: Re: [Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem On Sat, 7 Jun 2003 18:02:56 +0200, Stefan Drees <s_drees@t-online.de> wrote:> But since i upgraded from version 1.3 to 1.4, my samba connections get > lost > from time to time. > This problem consists also for connection to connections from a > workstation > over the firewall > to a windows server in the DMZ. > A downgrade to last 1.3 version solved the problem, but i think there > must > be another solution. > > Hope someone can help my.Are you saying that these connections work some times but other times they don''t? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-09 14:46 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
On Mon, 9 Jun 2003 22:07:21 +0200, Stefan Drees <s_drees@t-online.de> wrote:> Yes, my samba server runs as domain controller. At login the samba share > are connected via netlogon script. After ?? min. the connection get lost. > I noticed these, because my E-Mail PST-File is saved on one of the > shares. > I try then 4-6 times to reconnect, before it is working again, for a > little > time. > > The problem exists also for connections over the firewall. > Workstation connecting to shares on W2K Server in DMZ Zone. > > I think the problem is the background reconnect to the shares because > of the W2K problem. For example the W2K workstation couldn?t connect to > the shares via net use at workgroup logon (error message), but access > over > the windows explorer works. Hope this helps you a little bit. >Not really -- I haven''t a clue how a change in Shorewall could produce such symptoms. You might restart Shorewall with an empty /etc/shorewall/common file for a bit. That will produce quite a bit of output but may point out what traffic isn''t being enabled. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-09 14:51 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
On Mon, 09 Jun 2003 14:46:34 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > Not really -- I haven''t a clue how a change in Shorewall could produce > such symptoms. You might restart Shorewall with an empty > /etc/shorewall/common file for a bit. That will produce quite a bit of > output but may point out what traffic isn''t being enabled. >Also, if you have NEWNOTSYN=No in /etc/shorewall/shorewall.conf, you might try switching to NEWNOTSYN=Yes to see if that helps. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-17 13:15 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
On Tue, 2003-06-17 at 12:38, Stefan Drees wrote:> Hi, > NEWNOTSYN=Yes doesn?t help. I also have comment out all entries in > common.def. > I got many messages about blocked packages from port 137-138 and port 445. > The most on eth0 and ppp0, the only blocked packages are from lan to port > 445 on the firewall. > 192.168.10.2 is my workstation, 192.168.10.254 my server. I also changed my > firewall rules for accessing > samba to match your recommendations, listed at your website. I tried also to > allow port 445 tcp, without success. > ACCEPT ics loc udp 137:139 > ACCEPT ics loc tcp 137:139,445 > ACCEPT ics loc udp 1024:137I assume that the last part is actually "1024:<white space>137", right? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-17 13:27 UTC
[Shorewall-users] Shorewall 1.3->1.4 Samba Disconnect Problem
On Mon, 2003-06-09 at 13:07, Stefan Drees wrote:> Yes, my samba server runs as domain controller. At login the samba share > are connected via netlogon script. After ?? min. the connection get lost. > I noticed these, because my E-Mail PST-File is saved on one of the shares. > I try then 4-6 times to reconnect, before it is working again, for a little > time. > > The problem exists also for connections over the firewall. > Workstation connecting to shares on W2K Server in DMZ Zone. > > I think the problem is the background reconnect to the shares because > of the W2K problem. For example the W2K workstation couldn?t connect to > the shares via net use at workgroup logon (error message), but access over > the windows explorer works. Hope this helps you a little bit. >What error message do you get when the workstation fails to connect via ''net use''? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net