Before wasting a lot of time going at this in the wrong list, I would like to confirm whether my thinking is on or off base with respect to source and destination ports. Samba is being blocked by fw2loc even though I have accept rules set up. I believe I can explain why, but I could be wrong. I think that for some reason, samba is sourcing stuff on the commonly used port 137, but trying to send it to a destination port that is not a common port for the protocol. Should samba not be sending to a DPT of 137-139 instead of to 32771 as shown below? Does this look like samba problem and not a firewall setup problem to anyone else? Have I lost my senses or proven my ignorance? Maybe this is a reply to an incoming request from 192.168.1.1? If so, I did not think I would need to open ports for responses. The reason I think I am not crazy is because I used the same philosophy for opening ssh ports as I did for setting up samba. Other opened ports work fine, just not the samba ones. From my log on 192.168.1.3: ... Apr 8 10:28:14 KRayHome kernel: Shorewall:fw2loc:REJECT:IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=40 DF PROTO=UDP SPT=137 DPT=32824 LEN=70 ... Apr 27 22:12:12 KRayHome kernel: Shorewall:fw2loc:REJECT:IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=180 DF PROTO=UDP SPT=137 DPT=32770 LEN=70 ... Apr 29 23:33:22 KRayHome kernel: Shorewall:fw2loc:REJECT:IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=148 DF PROTO=UDP SPT=137 DPT=32771 LEN=70 ... Apr 30 04:53:29 KRayHome kernel: Shorewall:fw2loc:REJECT:IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=31 DF PROTO=UDP SPT=137 DPT=32800 LEN=70 I have a rule to accept 137, but does this not mean DPT 137? On another note, I do not understand why I do not see info log messages for drops and rejects when I try to browse the samba network. When something does not work, I usually go to the log to see if the firewall dropped something, but it seems since I went to this version of Mandrake, I do not see all of the drops or rejects in the log. The above log messages are generated only when nmbd talks on its own. It seems that UDPs dropped are not always logged? Am I nuts? All my drops and rejects in policy are set to do info logging. Is there some setup elsewhere that might be silently dropping things? # grep netbios rules ACCEPT $FW loc tcp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds ACCEPT $FW loc udp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds ACCEPT loc $FW tcp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds ACCEPT loc $FW udp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds # grep netbios /etc/services netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp # rpm -qa | egrep "(samba)|(shorewall)" samba-server-3.0.7-2mdk samba-swat-3.0.7-2mdk samba-doc-3.0.7-2mdk shorewall-doc-1.3.14-3mdk samba-common-3.0.7-2mdk shorewall-2.0.8-1mdk samba-client-3.0.7-2mdk Attached is a status.txt BTW, 192.168.1.1 has an identical setup.
On Saturday 30 April 2005 05:50 am, Kevin R. Bulgrien wrote:> Maybe this is a reply to an incoming request from > 192.168.1.1? If so, I did not think I would need to open ports for > responses. The reason I think I am not crazy is because I used the > same philosophy for opening ssh ports as I did for setting up samba. > Other opened ports work fine, just not the samba ones.> On another note, I do not understand why I do not see info log > messages for drops and rejects when I try to browse the samba > network. When something does not work, I usually go to the log > to see if the firewall dropped something, but it seems since I went > to this version of Mandrake, I do not see all of the drops or rejects > in the log. > > The above log messages are generated only when nmbd talks on > its own. It seems that UDPs dropped are not always logged? Am I > nuts? All my drops and rejects in policy are set to do info logging. > Is there some setup elsewhere that might be silently dropping things?Oops, the browse does result in drop/reject messages on the remote system... It is not the local system that is blocking me. I better look more closely at things. Apr 30 06:07:11 kraysrvr kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.3 LEN=257 TOS=0x00 PREC=0x00 TTL=64 ID=518 DF PROTO=UDP SPT=137 DPT=32793 LEN=237 Ok, nope, do not see something wrong on the server either. NEWNOTSYN is yes on both systems. # rpm -qa | egrep "(samba)|(shorewall)" samba-swat-3.0.7-2mdk shorewall-doc-1.4.6c-2mdk samba-server-3.0.7-2mdk samba-doc-3.0.7-2mdk shorewall-2.0.8-1mdk samba-common-3.0.7-2mdk samba-client-3.0.7-2mdk # grep netbios rules /etc/services rules:ACCEPT fw loc tcp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - rules:ACCEPT fw loc udp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - rules:ACCEPT loc fw tcp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - rules:ACCEPT loc fw udp netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - /etc/services:netbios-ns 137/tcp # NETBIOS Name Service /etc/services:netbios-ns 137/udp /etc/services:netbios-dgm 138/tcp # NETBIOS Datagram Service /etc/services:netbios-dgm 138/udp /etc/services:netbios-ssn 139/tcp # NETBIOS session service /etc/services:netbios-ssn 139/udp Attached is server.status.txt
Kevin R. Bulgrien wrote:> Before wasting a lot of time going at this in the wrong list, I would like > to confirm whether my thinking is on or off base with respect to source > and destination ports. > > Samba is being blocked by fw2loc even though I have accept rules > set up. I believe I can explain why, but I could be wrong.a) Go to http://shorewall.net/samba.htm b) FOLLOW THE INSTRUCTIONS c) It will work -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Saturday 30 April 2005 05:50 am, Kevin R. Bulgrien wrote: > > > Maybe this is a reply to an incoming request from > > 192.168.1.1? If so, I did not think I would need to open ports for > > responses. The reason I think I am not crazy is because I used the > > same philosophy for opening ssh ports as I did for setting up samba. > > Other opened ports work fine, just not the samba ones. > > > On another note, I do not understand why I do not see info log > > messages for drops and rejects when I try to browse the samba > > network. When something does not work, I usually go to the log > > to see if the firewall dropped something, but it seems since I went > > to this version of Mandrake, I do not see all of the drops or rejects > > in the log. > > > > The above log messages are generated only when nmbd talks on > > its own. It seems that UDPs dropped are not always logged? Am I > > nuts? All my drops and rejects in policy are set to do info logging. > > Is there some setup elsewhere that might be silently dropping things? > > Oops, the browse does result in drop/reject messages on the remote > system... It is not the local system that is blocking me. I better > look more closely at things. > > Apr 30 06:07:11 kraysrvr kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=192.168.1.1 DST=192.168.1.3 LEN=257 TOS=0x00 PREC=0x00 TTL=64 ID=518 DF > PROTO=UDP SPT=137 DPT=32793 LEN=237 > > Ok, nope, do not see something wrong on the server either. > > NEWNOTSYN is yes on both systems. > > # rpm -qa | egrep "(samba)|(shorewall)" > samba-swat-3.0.7-2mdk > shorewall-doc-1.4.6c-2mdk > samba-server-3.0.7-2mdk > samba-doc-3.0.7-2mdk > shorewall-2.0.8-1mdk > samba-common-3.0.7-2mdk > samba-client-3.0.7-2mdk > > # grep netbios rules /etc/services > rules:ACCEPT fw loc tcp > netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - > rules:ACCEPT fw loc udp > netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - > rules:ACCEPT loc fw tcp > netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - > rules:ACCEPT loc fw udp > netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds - > /etc/services:netbios-ns 137/tcp # NETBIOS Name > Service > /etc/services:netbios-ns 137/udp > /etc/services:netbios-dgm 138/tcp # NETBIOS > Datagram Service > /etc/services:netbios-dgm 138/udp > /etc/services:netbios-ssn 139/tcp # NETBIOS > session service > /etc/services:netbios-ssn 139/udp >Based on the logging only, I''d say your missing this rule: ACCEPT fw loc udp 1024: 137 from: http://www.shorewall.net/samba.htm but I really can''t tell, no rules file with the info you posted. Jerry
On Saturday 30 April 2005 08:46, Tom Eastep wrote:> a) Go to http://shorewall.net/samba.htm > b) FOLLOW THE INSTRUCTIONS > c) It will work > > -TomThank-you sir. Yes, it did, and so I realize I did not search the documenation broadly enough. This must have changed in Samba some time unless I am really gone bonkers. I had working Samba without that rule with SPT 137 for a long time, but possibly not since updating to Mandrake 10.x (maybe Samba 3.*). This experience has also taught me about how to realize when to use the SPT field as I have never had opportunity to use it before. I am now a hair smarter about reading the logs and knowing how to react to them. :-) BTW, Shorewall is on several systems I try to take care of. Your efforts with this software are much appreciated. Kevin R. Bulgrien
On Saturday 30 April 2005 08:49, Jerry Vonau wrote:> > Based on the logging only, I''d say your missing this rule: > ACCEPT fw loc udp 1024: 137 > from: http://www.shorewall.net/samba.htm > but I really can''t tell, no rules file with the info you posted. > > JerryYou called it correctly. Thanks. I guess I know now how to react to that kind of log message. I had never had a requirement to use the SPT field before ... even though on some systems I like to start out with a policy of all all DROP info. Kevin R. Bulgrien