Shorewall users - May 2004 - YASP (Yet another Samba Problem) and Shorewall

I''m running a Fedora Core 1 Samba server and Shorewall 2.0.1

Connections to Samba shares from both loc hosts and the fw host are 
usually impossible, unless I boot the Server and connect a loc machine 
to a Samba share before starting Shorewall.  This requires manually 
toggling the startup_disabled filename and starting Shorewall manually 
after each boot.

I used the two-interface guide:
(http://www.shorewall.net/two-interface.htm)
eth0 is my local network and eth1 connects to a router/DHCP 
server >> cable modem and internet.

Next, I fixed the iptables messages problem with the firewall 
errata (http://shorewall.net/pub/shorewall/errata/2.0.1/firewall)

Finally, I added the additional "Samba Rules" 
(http://www.shorewall.net/samba.htm), which at least made Samba 
connections possible, but subject to the startup limitation above.

I found another Samba ruleset on the web and tried these rules 
(old rules from the Shorewall site example are commented out):

#	Allow Samba between fw and loc
#
#ACCEPT    fw       loc    udp      137:139
ACCEPT    fw       loc    udp      137,138,139
#ACCEPT    fw       loc    tcp      137,139,445
ACCEPT    fw       loc    tcp      137,138,139,445
ACCEPT    fw       loc    udp      1024:          137
#ACCEPT    loc      fw     udp      137:139
ACCEPT    loc      fw     udp      53,137,138,139
#ACCEPT    loc      fw     tcp      137,139,445
ACCEPT    loc      fw     tcp      80,443,22,20,21,53,137,138,139,445
#ACCEPT    loc      fw     udp      1024:          137
ACCEPT    loc      fw     udp      1024:          137

I''m a complete noob and I don''t understand how Samba uses all
these
ports so I''d appreciate any feedback on whether I''ve actually
solved the problem or simply incurred new liabilities that are, as yet, hidden,
when I added these additional ports. 

Thanks much!  

Cal (suggested sysinfo follows)

vmlinux-2.4.22-1.2188 w/ full install (all packages) and all updates.

[root@Fez /]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:09:5b:8e:6f:1a brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0d:87:63:9e:7a brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1

[root@Fez etc]# ip route show
10.0.0.0/24 dev eth0  scope link
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.5
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth1

<eom>

calinb@comcast.net wrote:
> I''m running a Fedora Core 1 Samba server and Shorewall 2.0.1
> 
> Connections to Samba shares from both loc hosts and the fw host are 
> usually impossible, unless I boot the Server and connect a loc machine 
> to a Samba share before starting Shorewall.

a) Does "Server" = "System where Shorewall is running"?
b) If so, does that mean that the firewall system can''t connect to 
itself? or does it mean that it can''t mount shares in the
''loc'' zone? or ???
c) What does ''usually'' mean? Does it work sometimes?
d) Are you running Samba 2 or Samba 3?
e) After you have gone through this ridiculous thing with the startup 
disabled file (you really need to learn how to enable/disable services 
at startup using "chkconfig" and how to use the "shorewall
clear"
command), can you then connect to shares in both directions (or whatever 
b) above means)?
f) Does browsing work within the network?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Wow!  Thanks for your prompt help Tom!  Given that I''m committed to
using and benefitting from your work, and the fact that you don''t
personally accept donations, I''ve donated as you suggested on your
website.   I''d like you and others to know that your efforts are
spawning more goodwill.   Thanks!
> a) Does "Server" = "System where Shorewall is running"?
yes
> b) If so, does that mean that the firewall system can''t connect to
> itself? or does it mean that it can''t mount shares in the
''loc'' zone? or ???
Correct on both counts.  When I try to browse smb:// with gnome on the
Shorewall/Samba host, I get a "master browser error."  This also means
I can''t see or access the shares on my loc XP machine from the firewall
system either.  Sorry I don''t have the exact error with me ATM.  
I''ll learn how to connect from the Linux terminal window next, but
browsing with gnome doesn''t work.

After my Shorewall workaround, I can browse with the firewall system and access
the firewall Samba shares and the shares on my XP machine.

Also, I can''t reliably (see answer to (c) below) mount firewall system
shares from machines on the loc network (connected to eth0 on the firewall
system) without the "workarounds."  I''ve attempted to map
firewall system shares to both XP and WinME systems on the network.  Again,
works okay with the "workarounds."
> c) What does ''usually'' mean? Does it work sometimes?
To quantify this, I need do run more trials.  Yes, occasionally things work as
expected without the "workarounds."   It''s really flakey
though--sometimes I can browse from the firewall system to the local Samba
shares, but not see the XP machine/shares at all.  Occasionally I can connect to
the Shorewall/Samba shares from another machine on the loc network.  This is
very rare though.  Lately, nothing works without the workarounds that
I''ve described (addiition of ports in the Samba rule or the manual
startup order.)  The increase in problems may have something to do with my
recent installation of the latest Fedora package updates, including Samba.  I
didn''t have much time on the system before I updated it so I''m
not certain there''s a correlation.   I''ll attempt more trial
runs and improve this report to you, if possible :)
> d) Are you running Samba 2 or Samba 3?
According to the Fedora distro pkg list, it''s 3.0.0.  I still have to
learn how to ask Samba to print the version to the console :\

> e) After you have gone through this ridiculous thing with the startup 
> disabled file (you really need to learn how to enable/disable services 
> at startup using "chkconfig" and how to use the "shorewall
clear"
> command), can you then connect to shares in both directions (or whatever 
> b) above means)?
I''ve used "clear" but didn''t think of using it for
this purpose.  I''ll try it.  I''ve tried stop and
that''s not enough.  chkconfig?--hmmm, I was looking for the command
line version of  the Red Hat "Services Config Tool" GUI.  Thanks. 
Yes, b) means both directions.
> f) Does browsing work within the network?  
Not sure what you''re asking here.  Yes, it works between other machines
on the network, just not to and from the Samba/Shorewall machine.  BTW, internet
web browsing works from loc machines on the network just fine (using
masquerading).

Sorry that I''m a difficult and clueless Linux/Shorewall noob. 
Unfortunately, bringing up a firewall is one of the first things a noob must
accomplish because internet connectivity is essential for continuing system and
educational development.  Now I''m wondering if I should upgrade to
Fedora Core 2 Final when it''s released on Monday or continue to work on
this problem.

Does it make any sense to you that adding additional ports to the Samba section
of the rules file makes everything work?  Should I study Samba and attempt to
learn when and why it uses all those ports?

Thanks again,

Cal

> calinb@comcast.net wrote:
> > I''m running a Fedora Core 1 Samba server and Shorewall 2.0.1
> > 
> > Connections to Samba shares from both loc hosts and the fw host are 
> > usually impossible, unless I boot the Server and connect a loc machine
> > to a Samba share before starting Shorewall.
> 
> 
> a) Does "Server" = "System where Shorewall is running"?
> b) If so, does that mean that the firewall system can''t connect to
> itself? or does it mean that it can''t mount shares in the
''loc'' zone? or ???
> c) What does ''usually'' mean? Does it work sometimes?
> d) Are you running Samba 2 or Samba 3?
> e) After you have gone through this ridiculous thing with the startup 
> disabled file (you really need to learn how to enable/disable services 
> at startup using "chkconfig" and how to use the "shorewall
clear"
> command), can you then connect to shares in both directions (or whatever 
> b) above means)?
> f) Does browsing work within the network?
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Fri, 14 May 2004 calinb@comcast.net wrote:
> Wow!  Thanks for your prompt help Tom!  Given that I''m committed
to
> using and benefitting from your work, and the fact that you don''t
> personally accept donations, I''ve donated as you suggested on your
> website.  I''d like you and others to know that your efforts are
spawning
> more goodwill.  Thanks!
>
Thank you!

 
> > a) Does "Server" = "System where Shorewall is
running"?
> 
> yes
> 
> > b) If so, does that mean that the firewall system can''t
connect to
> > itself? or does it mean that it can''t mount shares in the
''loc'' zone? or ???
> 
> Correct on both counts.  When I try to browse smb:// with gnome on the
> Shorewall/Samba host, I get a "master browser error."  This also
means I
> can''t see or access the shares on my loc XP machine from the
firewall
> system either.  Sorry I don''t have the exact error with me ATM. 
I''ll
> learn how to connect from the Linux terminal window next, but browsing
> with gnome doesn''t work.
> 
> After my Shorewall workaround, I can browse with the firewall system and
> access the firewall Samba shares and the shares on my XP machine.
> 
> Also, I can''t reliably (see answer to (c) below) mount firewall
system
> shares from machines on the loc network (connected to eth0 on the
> firewall system) without the "workarounds."  I''ve
attempted to map
> firewall system shares to both XP and WinME systems on the network.  
> Again, works okay with the "workarounds."
> 
> > c) What does ''usually'' mean? Does it work sometimes?
> 
> To quantify this, I need do run more trials.  Yes, occasionally things
> work as expected without the "workarounds."  It''s really
flakey
> though--sometimes I can browse from the firewall system to the local
> Samba shares, but not see the XP machine/shares at all.  Occasionally I
> can connect to the Shorewall/Samba shares from another machine on the
> loc network.  This is very rare though.  Lately, nothing works without
> the workarounds that I''ve described (addiition of ports in the
Samba
> rule or the manual startup order.)  The increase in problems may have
> something to do with my recent installation of the latest Fedora package
> updates, including Samba.  I didn''t have much time on the system
before
> I updated it so I''m not certain there''s a correlation. 
I''ll attempt
> more trial runs and improve this report to you, if possible :)
>
Shorewall-generated rules are very definite -- they do the same thing 
every time unless you use rate-limiting.
 
> > d) Are you running Samba 2 or Samba 3?
> 
> According to the Fedora distro pkg list, it''s 3.0.0.  I still have
to
> learn how to ask Samba to print the version to the console :\
I have yet to get Samba 3 to work reliably.
> 
> Not sure what you''re asking here.  Yes, it works between other
machines
> on the network, just not to and from the Samba/Shorewall machine.  BTW,
> internet web browsing works from loc machines on the network just fine
> (using masquerading).
>
That''s the part that I can''t get working with Samba 3.
 
> 
> Does it make any sense to you that adding additional ports to the Samba
> section of the rules file makes everything work?  Should I study Samba
> and attempt to learn when and why it uses all those ports?
>
No. The ports published on my web site seem to work for the rest of the 
world and the differences between what you have and what I publish 
are:

a) You are allowing DNS from loc->fw (should be irrelevant).
b) You are allowing TCP port 138 (which isn''t used).
c) You are allowing a bunch of ports related to other apps from loc->fw.

And it doesn''t sound like changing the config really changed anything 
anyway if you must clear the firewall before you can connect (once you are 
connected, Shorewall rules are not a factor since they only control new 
connections).

What I suggest you do is remove Shorewall totally from your fw<->loc 
interface (you seem to be treating the Shorewall box as an extension of 
your local network anyway).

a) Add these two policies:

	fw	loc	ACCEPT
	loc	fw	ACCEPT

b) Remove all fw<->loc rules.

Now you will know that any remaining problems are not Shorewall-related.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

> 
>>Does it make any sense to you that adding additional ports to the Samba
>>section of the rules file makes everything work?  Should I study Samba
>>and attempt to learn when and why it uses all those ports?
>>
> 
> 
> No. The ports published on my web site seem to work for the rest of the 
> world and the differences between what you have and what I publish 
> are:
> 
> a) You are allowing DNS from loc->fw (should be irrelevant).
> b) You are allowing TCP port 138 (which isn''t used).
> c) You are allowing a bunch of ports related to other apps from loc->fw.
> 
> And it doesn''t sound like changing the config really changed
anything
> anyway if you must clear the firewall before you can connect (once you are 
> connected, Shorewall rules are not a factor since they only control new 
> connections).
> 
> What I suggest you do is remove Shorewall totally from your fw<->loc 
> interface (you seem to be treating the Shorewall box as an extension of 
> your local network anyway).
> 
> a) Add these two policies:
> 
> 	fw	loc	ACCEPT
> 	loc	fw	ACCEPT
> 
> b) Remove all fw<->loc rules.
> 
> Now you will know that any remaining problems are not Shorewall-related.
> 
One more thing -- what is the startup order of services in your regular 
run level (I assume your usual run level is 5 -- multi-user Graphical)? 
You can see that in /etc/rc5.d/S*. I''m wondering what else starts after
Shorewall....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

>  
> 
>>>d) Are you running Samba 2 or Samba 3?
>>
>>According to the Fedora distro pkg list, it''s 3.0.0.  I still
have to
>>learn how to ask Samba to print the version to the console :\
> 
> 
> I have yet to get Samba 3 to work reliably.
> 
> 
>>Not sure what you''re asking here.  Yes, it works between other
machines
>>on the network, just not to and from the Samba/Shorewall machine.  BTW,
>>internet web browsing works from loc machines on the network just fine
>>(using masquerading).
>>
> 
> 
> That''s the part that I can''t get working with Samba 3.
>  
I''ve done some more testing and I have one Samba 3 system which appears
to be working at the moment.

I''ll keep an eye on it....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2004-05-14 at 19:17 +0000, calinb@comcast.net
wrote:
> I''m running a Fedora Core 1 Samba server and Shorewall 2.0.1
> 
> Connections to Samba shares from both loc hosts and the fw host are 
> usually impossible, unless I boot the Server and connect a loc machine 
> to a Samba share before starting Shorewall.  This requires manually 
> toggling the startup_disabled filename and starting Shorewall manually 
> after each boot.
> 
For me, Samba connections to an FW using Shorewall usually work just
fine.  I just add a:
AllowSMB	loc	$FW

and it works fine.  If you want the firewall to connect to loc via SMB
(ick!), you would need to added the same rule with src/dst reversed.

-- 
David T Hollis <dhollis@davehollis.com>

David T Hollis wrote:
> 
> For me, Samba connections to an FW using Shorewall usually work just
> fine.  I just add a:
> AllowSMB	loc	$FW
> 
> and it works fine.  If you want the firewall to connect to loc via SMB
> (ick!), you would need to added the same rule with src/dst reversed.
> 
I''ve also been unable to reproduce Calin''s problem.

I have a one-interface Mandrake 9 system running Samba 3 with the 
following policies and rules:

/etc/shorewall/policy:

net             all             DROP            info
all             all             REJECT          info

/etc/shorewall/rules:

#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
#                                       PORT    PORT(S) DEST
################################################################
#
# ICMP
#
ACCEPT          net     fw      icmp    8
ACCEPT          fw      net     icmp
#
# Allow SMB
#
AllowSMB        net     fw
AllowSMB        fw      net
#
# Allow SSH
#
AllowSSH        fw      net
AllowSSH        net     fw
#
# Allow all non-local outgoing traffic
#
ACCEPT          fw      net:!192.168.1.0/24
#
# Spooler
#
ACCEPT          fw      net     udp     631
ACCEPT          net     fw      udp     631

Immediately after boot, systems in the local network can browse this box 
and connect to its exported shares.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net