[Samba] Samba AD firewalld services

Thu Aug 27 14:05:13 UTC 2015

On 27/08/15 14:58, Robert Moskowitz wrote:
>
>
> On 08/27/2015 09:50 AM, Rowland Penny wrote:
>> On 27/08/15 13:50, L.P.H. van Belle wrote:
>>> After reading this thread.. and ..seeing the comments..
>>>
>>> I googled a bit around. and yes.. more then 5 sec..  ;-)
>>>
>>> I wonder why almost every "centos/redhat/rpm based" howto removes 
>>> firewalld with the base iptables service
>>
>> Now here's a funny thing, I was searching the samba wiki for 
>> 'firewall' and found there is a page on setting up samba4 on centos 
>> 7, about half way down that page is this:
>>
>> This post setup will configure the services to startup and disable 
>> Selinux and Firewall, during my tests firewalld did not save the 
>> allowed ports, even with permanent flag, so I´v decided to disable to 
>> avoid problems.
>>
>> So even on the samba wiki, you are advised to turn off firewalld :-D
>
> You have to do a --reload before they show up in the --list-all. I 
> would like to see a list pending option before I reload...
>
> And I really hope I don't have to disable Selinux.  Somewhere here I 
> have a cookbook for creating new policies.  It has worked for a few 
> services I have worked with that instructed me ot 'disable Selinux'.
>
> I am a security guy.  I WANT my security services.

I would agree with you, you cannot have to much security, but I tend to 
get things working and then pile the security measures on top, one by 
one. If it works before the security measure, but not after, it narrows 
where to search for the problem.

Rowland
>
>>
>>
>>> now, i'm not "pro" systemd or con systemd, i use it but i set my 
>>> firewall with ufw,
>>> which is much more flexable in my opinion.
>>> I just dont care about how it starts.. as long as it works..
>>>
>>> so i found this one..
>>> http://www.certdepot.net/rhel7-get-started-firewalld/
>>> looks very nice, it explains all.
>>> base on that, howto create a "samba4-ad" service with multiple ports 
>>> in it.
>>> or better, split it up in to..
>>> samba4-kerberos
>>> samba4-smbd
>>> samba4-nmbd
>>> etc..
>>>
>>> The only thing i cant see there in the "HAProxy example" is you can
>>> add multiple "port / protools" in there.
>>> thats up to you.
>>>
>>> but i think you wil manage that.
>>>
>>> .. side note..
>>> Firewalling is not really a samba topic.. but we are all (yes 
>>> Rowland to) happy to help you..
>>> ;-)  Rowland is just not a "fan" of systemd..  ROFL...
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair
>>>> Verzonden: donderdag 27 augustus 2015 14:01
>>>> Aan: Robert Moskowitz
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba AD firewalld services
>>>>
>>>> The services and their port numbers and protocols are defined in
>>>> /etc/services. You should be able to use that file to map from
>>>> port numbers
>>>> to services if you want to use the service names instead. This is not
>>>> something new with firewalld, iptables has had this option
>>>> forever as well.
>>>>
>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz
>>>> <rgm at htt-consult.com>
>>>> wrote:
>>>>
>>>>> Now with firewalld, opening up ports is now 'better' done by opening
>>>>> services.  So what do I need, for starters it seems:
>>>>>
>>>>> dns, dhcp, dhcpv6, samba, kerberos
>>>>>
>>>>> Here is the list of services:
>>>>>
>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6
>>>>> dhcpv6-client dns
>>>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos
>>>>> kpasswd ldap
>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp
>>>> openvpn pmcd
>>>>> pmproxy
>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba
>>>>> samba-client
>>>>> smtp ssh telnet tftp tftp-client transmission-client
>>>> vnc-server wbem-https
>>>>> I will only be running one AD, but a number of file servers (which in
>>>>> Samba4 are really DCs without some services?) .
>>>>>
>>>>> thanks
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>
>>
>