Hi all, I understand that in order to allow samba to work, we need to allow several ports, such as tcp 445, tcp/udp 137,138,139. But recently a friend of mine said that the only port needs to be opened is tcp 445? Is this true? What is the actual purpose of those 137:139 ports? In /etc/services it''s said that they are netbios-ssn. But I''m not really sure the real meaning of it. Thank you, -- Fajar Priyanto | Reg''d Linux User #327841 | Linux tutorial http://linux2.arinet.org 4:34pm up 8:52, 2.6.16.13-4-default GNU/Linux Let''s use OpenOffice. http://www.openoffice.org ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Fajar, 137/139 are ports for windows file sharing But if you want more precise answer, better ask Samba mailing-list, this has nothing to do with Shorewall. Google could be useful for this too :-) plz SEARCH before ASK ! Le mercredi 29 novembre 2006 à 16:43 +0700, Fajar Priyanto a écrit :> Hi all, > I understand that in order to allow samba to work, we need to allow several > ports, such as tcp 445, tcp/udp 137,138,139. > > But recently a friend of mine said that the only port needs to be opened is > tcp 445? Is this true? > > What is the actual purpose of those 137:139 ports? In /etc/services it's said > that they are netbios-ssn. But I'm not really sure the real meaning of it. > Thank you, > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Wed, Nov 29, 2006 at 04:43:17PM +0700, Fajar Priyanto wrote:> I understand that in order to allow samba to work, we need to allow several > ports, such as tcp 445, tcp/udp 137,138,139. > > But recently a friend of mine said that the only port needs to be opened is > tcp 445? Is this true? > > What is the actual purpose of those 137:139 ports? In /etc/services it''s said > that they are netbios-ssn. But I''m not really sure the real meaning of it."Samba" (and "Windows File & Print") refers to a group of about six different protocol variations. With each major release of Windows (and OS/2 LanManager), Microsoft has reinvented it, because all their previous attempts sucked. Different variations of these use different combinations of ports. At least one of them is capable of operating over port 445 alone. A modern WinXP system can talk *all* of these. You have limited control over which it uses, even in a purely WinXP network. The exact details of how it decides which protocol to use are secret (if anybody at Microsoft even knows - this is uncertain, the code is reportedly complicated and undocumented), and the internet is rife with inaccurate speculations on the subject being presented as fact. Do not expect it to behave sanely. In theory, it should attempt to use both port 445 and 139 and take whichever works. In practice, it varies, especially on a desktop that''s been in use for a few months and is starting to show signs of bitrot. Opening all the ports ensures that the firewall won''t get in the way of whatever the stupid thing decides to do. Individual sites may find that they can get by with less, depending on configuration and the phases of the moon. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Andrew Suffield wrote:>"Samba" (and "Windows File & Print") refers to a group of about six >different protocol variations. With each major release of Windows (and >OS/2 LanManager), Microsoft has reinvented it, because all their >previous attempts sucked. Different variations of these use different >combinations of ports. At least one of them is capable of operating >over port 445 alone. > >A modern WinXP system can talk *all* of these. You have limited >control over which it uses, even in a purely WinXP network. The exact >details of how it decides which protocol to use are secret (if anybody >at Microsoft even knows - this is uncertain, the code is reportedly >complicated and undocumented), and the internet is rife with >inaccurate speculations on the subject being presented as fact. Do not >expect it to behave sanely.Hopefully this is an area that will be improved by the submission of documentation demanded by the EU to allow competing systems to interoperate on a level playing field - but I suspect it will take some time for various teams (particularly the Samba team) to work their way through it. I believe their first submission was along the lines of "we''ll make the source code available under non-disclosure and you can work it out for yourself", which thankfully was rejected by the EU on two grounds : a) it precluded projects like Samba using any of the information obtained, and b) it was about as clear as mud ! The fact that Microsoft claims to have had 300 engineers working on it for months does back up theories that even Microsoft didn''t know how it all works - which is kind of worrying when you think how much of the worlds business depends on Windows systems ! I guess those 300 engineers have spent the last few months reverse engineering the source code. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Andrew Suffield schrieb:> On Wed, Nov 29, 2006 at 04:43:17PM +0700, Fajar Priyanto wrote: > >> I understand that in order to allow samba to work, we need to allow several >> ports, such as tcp 445, tcp/udp 137,138,139. >> >> But recently a friend of mine said that the only port needs to be opened is >> tcp 445? Is this true? >> >> What is the actual purpose of those 137:139 ports? In /etc/services it''s said >> that they are netbios-ssn. But I''m not really sure the real meaning of it. >> > > "Samba" (and "Windows File & Print") refers to a group of about six > different protocol variations. With each major release of Windows (and > OS/2 LanManager), Microsoft has reinvented it, because all their > previous attempts sucked. Different variations of these use different > combinations of ports. At least one of them is capable of operating > over port 445 alone. > > A modern WinXP system can talk *all* of these. You have limited > control over which it uses, even in a purely WinXP network. The exact > details of how it decides which protocol to use are secret (if anybody > at Microsoft even knows - this is uncertain, the code is reportedly > complicated and undocumented), and the internet is rife with > inaccurate speculations on the subject being presented as fact. Do not > expect it to behave sanely. In theory, it should attempt to use both > port 445 and 139 and take whichever works. In practice, it varies, > especially on a desktop that''s been in use for a few months and is > starting to show signs of bitrot. > > Opening all the ports ensures that the firewall won''t get in the way > of whatever the stupid thing decides to do. Individual sites may find > that they can get by with less, depending on configuration and the > phases of the moon. > > ------------------------------------------------------------------------- >Andrew, this story is not completly true. My experience in my customers networks is such: WinXP clients and W2K SP4 Clients *can* use port 445 only, *if* you take care about your network configuration: servers need to be in an ADS in non-compatibility mode (no NT4 anywhere), this is possible with W2K Server SP4 and W2K3 Server R1 and R2. no NetBIOS name resolution, DNS only, this means no WINS-Server, no workgroup-access, use domain-access only, no local file or printer sharing, server side shares only. Like this, port 445 is "the modern way" to get windows machine to talk to each other. BTW, this is the safest configuration of all, if you then get Kerberos working in your net, you are on the right track to more security even in wimdows networks. BUT: samba is a different thing and like you already stated, the underlying (MS-) interna are not documented in the public, it is impossible for samba to be completely like "the original". Just my 2 cents Philipp ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, Nov 29, 2006 at 07:20:50PM +0100, Philipp Rusch wrote:> My experience in my customers networks is such: > WinXP clients and W2K SP4 Clients *can* use port 445 only, *if* you > take care > about your network configuration: servers need to be in an ADS in > non-compatibility mode > (no NT4 anywhere), this is possible with W2K Server SP4 and W2K3 Server > R1 and R2. > no NetBIOS name resolution, DNS only, this means no WINS-Server, no > workgroup-access, > use domain-access only, no local file or printer sharing, server side > shares only.If you manage to arrange things so that *none* of these things happen, you''re much luckier than me. It''s infuriatingly hard to run a non-trivial network without any legacy crud floating around. Eliminating all the stuff you list could conceivably be enough to stop it - but I doubt we''ll ever really know for sure. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV