Hello all, My network is configured like this: - a local network, with Windows Domain - a DMZ network for our servers We communicate between both by proxyarp. Because we need to share folders with our servers in DMZ, these servers are using samba. We have any problems to shared folders with them; ie calling them by their IP address, EXCEPT that netbios name of our servers in DMZ aren''t recognized. More over, when I try to make a nmblookup from the DMZ to our local Windows Primary Controller Domain, it fails because: - the broadcast address X.X.X.255 with port 137 (netbios-ns) is not replied by our Windows PDC, even if they are in the same broadcast address. It seems that shorewall is blocking broadcast request from DMZ to local. - using unicast address directly from nmblookup will make the Windows PDC receive the netbios-ns udp request, but it fails when responding. I have correctly set up samba rules in rules file, but I have read somewhere that I need to set up port forwarding for smb/nmb. What does it mean ? Thanks a lot. Phong
On Tue, 2004-11-02 at 02:30, Nguyen Phong wrote:> Hello all, > > My network is configured like this: > - a local network, with Windows Domain > - a DMZ network for our servers > > We communicate between both by proxyarp. > > Because we need to share folders with our servers in DMZ, these servers > are using samba. We have any problems to shared folders with them; ie > calling them by their IP address, EXCEPT that netbios name of our > servers in DMZ aren''t recognized. > More over, when I try to make a nmblookup from the DMZ to our local > Windows Primary Controller Domain, it fails because: > > - the broadcast address X.X.X.255 with port 137 (netbios-ns) is not > replied by our Windows PDC, even if they are in the same broadcast > address. It seems that shorewall is blocking broadcast request from DMZ > to local.*No* router will forward broadcasts -- this problem has nothing to do with Shorewall but rather is a simple consequence of the way that IP works. If you want your DMZ and local network to be in the same broadcast domain, you must bridge them (http://shorewall.net/bridge.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Nguyen Phong wrote:> > - the broadcast address X.X.X.255 with port 137 (netbios-ns) is not > replied by our Windows PDC, even if they are in the same broadcast > address. It seems that shorewall is blocking broadcast request from DMZ > > PhongYou have to use WINS, or Active Directory. Which one depends on the vintage of PDC you have. With an NT4 PDC you can only do WINS. With a Win200x PDC you get Active Directory which is actually the name for a group of name resolution protocols (including WINS) that are supposed to support all the possible Windows OS and their mutually incompatible protocols. NETBIOS name resolution that depends on broadcasts (what you are doing) will not work across networks as stated in another reply.