Planning a Firewall -> Samba don't work!

Anthony aslan at ispdr.net.au
Sat Apr 28 15:21:30 GMT 2001 

At 06:52 a 28/04/01, Leandro wrote:
>Hi folks...
>
>     I'm configuring Firewall in the server running Conectiva Linux 6.0 
> (Brazil)
>and I already configured to accept connections in the ports:
>
>netbios-ns      137/tcp                         # NETBIOS Name Service
>netbios-ns      137/udp
>netbios-dgm     138/tcp                         # NETBIOS Datagram Service
>netbios-dgm     138/udp
>netbios-ssn     139/tcp                         # NETBIOS session service
>netbios-ssn     139/udp
>
>     I'm using the IPCHAINS and I configured in this way:
>
>
>ipchains -A input  -i $EXTERNAL_INTERFACE \
>-s $ANYWHERE $NETBIOSPORTS -p tcp \
>-d $IPADDR $NETBIOSPORTS -j ACCEPT
>
>ipchains -A output -i $EXTERNAL_INTERFACE \
>-s $IPADDR $NETBIOSPORTS -p tcp \
>-d $ANYWHERE $NETBIOSPORTS -j ACCEPT
>
>ipchains -A input  -i $EXTERNAL_INTERFACE \
>-s $ANYWHERE $NETBIOSPORTS -p udp \
>-d $IPADDR $NETBIOSPORTS -j ACCEPT
>
>ipchains -A output -i $EXTERNAL_INTERFACE \
>-s $IPADDR $NETBIOSPORTS -p udp \
>-d $ANYWHERE $NETBIOSPORTS -j ACCEPT
>
>Please, if someone knows what is happen, please, anwser me...
>
>Thanks...
>
>
>                    Leandro Melo de Sales.
>CEFET/AL - Centro Federal de Educação Tecnológica de Alagoas
>     Estagiário GTI - Gerência de Tecnologia da Informação

Hi Leandro,
         At a glance, you appear to be having the same problem I was having 
with telnet only a few days ago. As far as I can tell, Windows doesn't 
connect from ports 137-139 as you would expect. I've just set one of my 
machines here to log to the system log, and it appears that Windows is 
connecting FROM port 2695 TO port 139. I have no idea why it does this (if 
anyone out there does know, please share it with us!), but I think that 
could be your problem. If it does turn out to be your problem, I suggest 
you just set ipchains to filter anything heading TO ports 137-139, 
regardless of where they're coming FROM. But then again, setting ipchains 
to filter exact source and destination ports will probably add more 
security to the system. Let us know how you go.




----------------------------
Anthony (aslan at ispdr.net.au)
----------------------------

More information about the samba mailing list