Init Scripts and Firewall Rules

[Denis Cardon]

Hi Daniel,

> Sent this to contributing@ about three weeks ago but no response, I
> though they might be useful on the wiki:
>
>> Given that so many distros have now switched to systemd, I believe it
>> would be appropriate to add a reference service file for systemd-based
>> systems to the InitScripts page.
>
>> I have a service file I've been using for a few months in production
>> on CentOS 7, as well as firewalld service files that could be added to
>> the Configure_your_firewall page.
>
>> Of the firewalld files, I've only tested the DC one, but - assuming
>> the current wiki page is correct - the others should work.
>
> /etc/firewalld/services/samba-ad-dc.service:
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>      <short>samba-ad-dc</short>
>      <description>Samba Active Directory Domain Controller</description>
>      <port protocol="tcp" port="53"/>
>      <port protocol="udp" port="53"/>
>      <port protocol="tcp" port="88"/>
>      <port protocol="udp" port="88"/>
>      <port protocol="tcp" port="135"/>
>      <port protocol="udp" port="137-138"/>
>      <port protocol="tcp" port="139"/>
>      <port protocol="tcp" port="389"/>
>      <port protocol="udp" port="389"/>
>      <port protocol="tcp" port="445"/>
>      <port protocol="tcp" port="464"/>
>      <port protocol="udp" port="464"/>
>      <port protocol="tcp" port="636"/>
>      <port protocol="tcp" port="1024-5000"/>

I was wondering about the ms-rpc port range. The 1025-5000 range was for 
win2k3 and lower os. As samba implements win2k8r2 AD, shoudn't it be 
49152-65535 as per kb929851 [1]?

Thanks,

Denis

[1] http://support.microsoft.com/en-us/kb/929851

>      <port protocol="tcp" port="3268-3269"/>
>      <port protocol="tcp" port="5353"/>
>      <port protocol="udp" port="5353"/>
> </service>
>
>
> /etc/firewalld/services/samba-member.service:
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>      <short>samba-member</short>
>      <description>Samba Domain Member Server</description>
>      <port protocol="tcp" port="135"/>
>      <port protocol="udp" port="137-138"/>
>      <port protocol="tcp" port="139"/>
>      <port protocol="tcp" port="445"/
> </service>
>
> This one's a bit redundant - /etc/firewalld/services/samba-nt4-pdc.service:
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>      <short>samba-nt4-pdc</short>
>      <description>Samba NT4 Primary Domain Controller</description>
>      <port protocol="tcp" port="135"/>
>      <port protocol="udp" port="137-138"/>
>      <port protocol="tcp" port="139"/>
>      <port protocol="tcp" port="445"/
> </service>
>
>
> /etc/systemd/system/samba-ad-dc.service:
> [Unit]
> Description=Samba AD Daemon
> After=syslog.target network.target
>
> [Service]
> Type=forking
> PIDFile=/usr/local/samba/var/run/samba.pid
> LimitNOFILE=16384
> EnvironmentFile=-/etc/sysconfig/samba
> ExecStart=/usr/local/samba/sbin/samba $SAMBAOPTIONS
> ExecReload=/usr/bin/kill -HUP $MAINPID
>
> [Install]
> WantedBy=multi-user.target
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr