Shorewall users - Nov 2003 - Connection rejected but no message in log?

Hi all!

I have a really weird problem.  My setup is this :
SERVER -> LinkSys Wireless router/hub -> Workstation

The workstation is running Windows and Linux. When running Windows I am 
able to access all the Samba shares on the server, so far so good.

When the workstation is running Linux it''s impossible to do an smbmount
for any of the shares.

My policy loc->fw is REJECT INFO and I specifically allow SMB traffic on 
the correct ports.

The Linux machine will not connect to the server, unless I change the 
policy loc->fw to ACCEPT. When the policy is REJECT and I try to mount a 
share, nothing shows up in the logs about any rejected packets.

I cannot understand why with the REJECT policy and explicitly specified 
SMB allow rules the client running Windows is able to connect, when I 
reboot the same machine with Linux it fails.

It can''t be the Linksys router, otherwise it should''t have
been possible
under Windows either, I suspect a firewall rule.

Unfortunately the LinkSys router does do some masquerading or routing, the 
router only takes 1 ip from my server and gives out ip''s from another 
private range to the clients.

Ideas anyone?

On Mon, 3 Nov 2003, Remco Barendse wrote:
>
> Ideas anyone?
>
Shorewall suppresses logging of all SMB noise through entries in
/etc/shorewall/common.def (otherwise, the log would be useless). You can
try running with an empty /etc/shorewall/common file and see what is
getting blocked in the fw<->loc traffic.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks!!! :)

Now I now what got rejected, but not why.

This is the line from the log:
Nov  4 20:32:45 xxx kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= 
MAC=00:a0:24:a9:30:bb:00:06:25:c1:06:86:08:00 SRC=10.10.0.2 DST=10.10.0.1 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32614 DF PROTO=TCP SPT=33575 DPT=445 
WINDOW=5840 RES=0x00 SYN URGP=0

I really haven''t got a clue why a Linux client needs to communicate
with
another Linux host on port 445 whereas the Windows client doesnt.

I had these standard rules for SMB:
#-----------------------------------------------------------------------------
### SMB
#-----------------------------------------------------------------------------
ACCEPT  fw              loc                     udp     137:139
ACCEPT  fw              loc                     tcp     137,139
ACCEPT  fw              loc                     udp     1024:   137
ACCEPT  loc             fw                      udp     137:139
ACCEPT  loc             fw                      tcp     137,139
ACCEPT  loc             fw                      udp     1024:   137

And added this line:
ACCEPT  loc             fw                      tcp     445

Maybe it could be added to the website to $ave other people the trouble?

Possibly I need to put a similar line for the reverse fw -> loc if i need 
to mount a share from the workstation but haven''t tried that.

On Mon, 3 Nov 2003, Tom Eastep wrote:
> On Mon, 3 Nov 2003, Remco Barendse wrote:
> 
> >
> > Ideas anyone?
> >
> 
> Shorewall suppresses logging of all SMB noise through entries in
> /etc/shorewall/common.def (otherwise, the log would be useless). You can
> try running with an empty /etc/shorewall/common file and see what is
> getting blocked in the fw<->loc traffic.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Oops, I should think before I type, ofcourse I know:

The workstation is running samba 3.00, guess Samba tries some funny Active 
Directory stuff and just burns and dies when that fails :(

In common.def I see that udp 445 is discarded silently as well. Should I 
allow that too??

If it''s caused by Samba 3 this question will probably make it into the
FAQ

On Tue, 4 Nov 2003, Remco Barendse wrote:
> Thanks!!! :)
> 
> Now I now what got rejected, but not why.
> 
> This is the line from the log:
> Nov  4 20:32:45 xxx kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= 
> MAC=00:a0:24:a9:30:bb:00:06:25:c1:06:86:08:00 SRC=10.10.0.2 DST=10.10.0.1 
> LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32614 DF PROTO=TCP SPT=33575 DPT=445 
> WINDOW=5840 RES=0x00 SYN URGP=0
> 
> I really haven''t got a clue why a Linux client needs to
communicate with
> another Linux host on port 445 whereas the Windows client doesnt.
> 
> I had these standard rules for SMB:
>
#-----------------------------------------------------------------------------
> ### SMB
>
#-----------------------------------------------------------------------------
> ACCEPT  fw              loc                     udp     137:139
> ACCEPT  fw              loc                     tcp     137,139
> ACCEPT  fw              loc                     udp     1024:   137
> ACCEPT  loc             fw                      udp     137:139
> ACCEPT  loc             fw                      tcp     137,139
> ACCEPT  loc             fw                      udp     1024:   137
> 
> And added this line:
> ACCEPT  loc             fw                      tcp     445
> 
> Maybe it could be added to the website to $ave other people the trouble?
> 
> Possibly I need to put a similar line for the reverse fw -> loc if i
need
> to mount a share from the workstation but haven''t tried that.
> 
> On Mon, 3 Nov 2003, Tom Eastep wrote:
> 
> > On Mon, 3 Nov 2003, Remco Barendse wrote:
> > 
> > >
> > > Ideas anyone?
> > >
> > 
> > Shorewall suppresses logging of all SMB noise through entries in
> > /etc/shorewall/common.def (otherwise, the log would be useless). You
can
> > try running with an empty /etc/shorewall/common file and see what is
> > getting blocked in the fw<->loc traffic.
> > 
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

> > Maybe it could be added to the website to $ave other people the
trouble?
It''s already there.

-Tom
-- 
Tom Eastep     \ Nothing is foolproof for a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

--- Remco Barendse <shorewall@barendse.to> wrote:
> Oops, I should think before I type, ofcourse I know:
Or read this:

http://www.shorewall.net/samba.htm

JBanks

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

The page below does not contain a rule to open port 445 tcp and udp!

On Tue, 4 Nov 2003, Joshua Banks wrote:
> 
> --- Remco Barendse <shorewall@barendse.to> wrote:
> > Oops, I should think before I type, ofcourse I know:
> 
> Or read this:
> 
> http://www.shorewall.net/samba.htm
> 
> JBanks
> 
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Am not being clear here, it contains a rule for 445 tcp only.

Isn''t udp ever used? 

On Tue, 4 Nov 2003, Remco Barendse wrote:
> The page below does not contain a rule to open port 445 tcp and udp!
> 
> On Tue, 4 Nov 2003, Joshua Banks wrote:
> 
> > 
> > --- Remco Barendse <shorewall@barendse.to> wrote:
> > > Oops, I should think before I type, ofcourse I know:
> > 
> > Or read this:
> > 
> > http://www.shorewall.net/samba.htm
> > 
> > JBanks
> > 
> > __________________________________
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
>

> Am not being clear here, it contains a rule for 445 tcp only.
>
> Isn''t udp ever used?
>
>
AFAIK, only TCP is used.

-Tom
-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

--- Remco Barendse <shorewall@barendse.to> wrote:
> Am not being clear here, it contains a rule for 445 tcp only.
> 
> Isn''t udp ever used? 
I''m Not a Samba user but I find plenty of stuff on Google that refers
to port 445 tcp/udp with Samba.

This is what IANA.org reports.

microsoft-ds    445/tcp    Microsoft-DS
microsoft-ds    445/udp    Microsoft-DS

HTH''s,
JBanks


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree