Planning a Firewall -> Samba don't work!

[Mike Fedyk]

On Sat, Apr 28, 2001 at 11:40:55AM -0400, Bill Moran wrote:
> Anthony wrote:
> > As far as I can tell, Windows doesn't
> > connect from ports 137-139 as you would expect. I've just set one of my
> > machines here to log to the system log, and it appears that Windows is
> > connecting FROM port 2695 TO port 139. I have no idea why it does this (if
> > anyone out there does know, please share it with us!)
> 
> This is fairly typical of tcp communications. Consider the fact that the
> Windows machine is likely listening for connections from others on port
> 139 already (if file sharing is enabled on that machine), so it could
> cause confusion to try to connect with that port on outgoing
> communication as well.
> Also, on any system with intelligent security (most UN*Ces and I believe
> the NT line) a non-root (admin) user can not establish connections on
> ports below 1024 (these are "priveledged" ports). Therefore, logging in
> to a sytem as a "normal user" does not enable you to open a connection
> from 139. Samba and the NT filesharing service both run as root/system

I believe NT will allow any user to bind to any port, as long as it isn't
already in use.  It just doesn't follow the unix priveliged ports concept.

> so they are able to establish listening ports on 139, but you don't want
> to have everyone logging as root/admin. Most other communication
> services run in the same manner, including ftp, mail, http, etc ...

Mike