Hello, I''m having a problem here with my setup which I could use some hints in the right direction with. I want to do the following : - Windows boxes (Instrumentation, not my choice ...) are supposed to samba into a linux fileserver (131.215.52.67) - they don''t see the net directly, but are walled up behind a linux firewall (172.16.0.1/131.215.35.26) - both linux machines are running shorewall windozes Firewall Fileserver \________^ \_______^ I''m in way over my head and am not looking for solution of a particular problem with shorewall but for a sanity check on my general approach to this - so one might call this off-topic? Does anybody have any hints for me? Thanks for your time, Joh The firewall was set up with help from samples-2.2.0/two-interfaces.tgz and runs 2.2.1 (Debian Testing). The policy file looks as follows: fw net ACCEPT net all DROP info fw loc ACCEPT loc fw ACCEPT all all REJECT info The rules file: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp ACCEPT fw net icmp ACCEPT net fw tcp 22 DNAT loc net:131.215.52.67 udp 137:139 DNAT loc net:131.215.52.67 tcp 137,139,445 DNAT loc net:131.215.52.67 udp 1024: 137 masq contains: eth1 eth0 (eth1 is the firewalls outside interface 131.215.35.26, while eth0 is 172.16.0.1 and on the inside) The fileserver runs shorewall 1.2.12 (debian stable). Policy looks as follows: fw net ACCEPT net all DROP info loc fw ACCEPT fw loc ACCEPT all all REJECT info Rules says: REJECT net fw tcp 113 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 ACCEPT fw loc icmp 8 ACCEPT loc fw icmp 8 ACCEPT fw net icmp 8 #Accept HTTPS ACCEPT net:131.215.35.0/24 fw tcp 443 ACCEPT net:131.215.3.0/24 fw tcp 443 #Accept samba access from morannon ACCEPT net:131.215.35.26 loc udp 137:139 ACCEPT net:131.215.35.26 loc tcp 137,139,445 ACCEPT net:131.215.35.26 loc udp 1024:
On Thursday 31 March 2005 19:33, Johannes Graumann wrote:> Hello, > > I''m having a problem here with my setup which I could use some hints in > the right direction with. > I want to do the following : > - Windows boxes (Instrumentation, not my choice ...) are supposed to > samba into a linux fileserver (131.215.52.67) > - they don''t see the net directly, but are walled up behind a linux > firewall (172.16.0.1/131.215.35.26) > - both linux machines are running shorewall > > windozes Firewall Fileserver > \________^ \_______^ > > I''m in way over my head and am not looking for solution of a particular > problem with shorewall but for a sanity check on my general approach to > this - so one might call this off-topic? > Does anybody have any hints for me? >Yes -- use a VPN solution. I don''t believe that you''ll ever get that mess to work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thursday 31 March 2005 19:33, Johannes Graumann wrote:> Hello, > > I''m having a problem here with my setup which I could use some hints in > the right direction with. > I want to do the following : > - Windows boxes (Instrumentation, not my choice ...) are supposed to > samba into a linux fileserver (131.215.52.67) > - they don''t see the net directly, but are walled up behind a linux > firewall (172.16.0.1/131.215.35.26) > - both linux machines are running shorewall > > windozes Firewall Fileserver > \________^ \_______^ > > I''m in way over my head and am not looking for solution of a particular > problem with shorewall but for a sanity check on my general approach to > this - so one might call this off-topic? > Does anybody have any hints for me? >Yes -- use a VPN solution rather than trying to mount the shares directly. I think you''ll have much better success. If you create a VPN between the Firewall and the Server and run a WINS server (Samba can do this) you should be able to get this to work fairly easily. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi again, After some trouble I got this working without a VPN. Seems fine to me. Tom, do you don''t trust the Samba password encryption or why would you prefer a VPN solution? The files being transferred through these connections are raw experimental data of no interest to anyone who doesn''t know the exact experimental background ... so I''m not concerned about them traveling in the open ... Joh On Fri, 1 Apr 2005 06:38:34 -0800 Tom Eastep <teastep@shorewall.net> wrote:> On Thursday 31 March 2005 19:33, Johannes Graumann wrote: > > Hello, > > > > I''m having a problem here with my setup which I could use some hintsin> > the right direction with. > > I want to do the following : > > - Windows boxes (Instrumentation, not my choice ...) are supposed to > > samba into a linux fileserver (131.215.52.67) > > - they don''t see the net directly, but are walled up behind a linux > > firewall (172.16.0.1/131.215.35.26) > > - both linux machines are running shorewall > > > > windozes Firewall Fileserver > > \________^ \_______^ > > > > I''m in way over my head and am not looking for solution of aparticular> > problem with shorewall but for a sanity check on my general approachto> > this - so one might call this off-topic? > > Does anybody have any hints for me? > > > > Yes -- use a VPN solution rather than trying to mount the sharesdirectly. I> think you''ll have much better success. > > If you create a VPN between the Firewall and the Server and run a WINSserver> (Samba can do this) you should be able to get this to work fairlyeasily.> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Johannes Graumann wrote:> After some trouble I got this working without a VPN. Seems fine to me. > Tom, do you don''t trust the Samba password encryption or why would you > prefer a VPN solution? The files being transferred through these > connections are raw experimental data of no interest to anyone who > doesn''t know the exact experimental background ... so I''m not concerned > about them traveling in the open ... >There are parts of M$ networking that work poorly through NAT (Domain logon for example). Plus of course there is the issue of sending unencrypted data outside of the firewall which you''ve already alluded to. If you got it to work, are are happy with it, and accept the security risk then that''s what counts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key