[Samba] firewall continued

Richard Fox rfox at sbsii.com
Mon Nov 4 18:57:00 GMT 2002 

I have been following the recent firewall thread with interest. I am trying
to get nmblookup and findsmb to work too. Samba shares are visible from the
Windows client and server, but nmblookup '*' only lists the local machine. I
dertermined from the 'firewall' thread that my firewall could be the
problem, and turned it off. Sure enough, all the machines in my domain
showed up when I ran nmblookup '*' or findsmb. So there is something going
on in my firewall chains.

Here is my ipchain setup.

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     tcp  -y----  anywhere             anywhere              any ->
smtp
ACCEPT     tcp  -y----  anywhere             anywhere              any ->
http
ACCEPT     tcp  -y----  anywhere             anywhere              any ->
ftp
ACCEPT     tcp  -y----  anywhere             anywhere              any ->
ssh
ACCEPT     tcp  ------  192.168.0.0/24       anywhere              any ->
netbios-ssn
ACCEPT     udp  ------  192.168.0.0/24       anywhere              any ->
netbios-ns:netbios-ssn
ACCEPT     udp  ------  dns1.net   anywhere              domain ->   any
ACCEPT     udp  ------  ns1.mydns.com   anywhere              domain ->
any
ACCEPT     udp  ------  ns2.mydns.com   anywhere              domain ->
any
REJECT     tcp  -y----  anywhere             anywhere              any ->
any
REJECT     udp  ------  anywhere             anywhere              any ->
any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Please note that by default all output packets are accepted.

If I change input rule 7 (the first udp rule) to allow all udp packets,
ACCEPT     udp  ------  192.168.0.0/24       anywhere              any ->
any

my findsmb lists all the machines in my domain. If I restrict this rule to
allow only packets to ports 137:139,
ACCEPT     udp  ------  192.168.0.0/24       anywhere              any ->
netbios-ns:netbios-ssn

only the local machine is listed by findsmb (or nmblookup) even though
tcpdump shows udp packets coming in from all machines (to 137). So these
packets are being rejected. This is very puzzling to me because the rule
specifically allows 137:139. If I modify the rule again to allow packets
addressed to 1024: (1024 and above) only, findsmb will list all machines
EXCEPT the local machine.. and very slowly. Here tcpdump shows heavy
traffic.

My question to a samba guru: exactly what  ports do I need to accept udp
packets on for samba to be fully functional? It seems that the respone to a
broadcast on 192.168.0.255 137 (netbios-ns) is responded to on ports other
than 137:139, and that if 137:139 are the only ports whose packets are
accepted, findsmb will not work.

Thanks. By looking throught the archives I can see this is a recurring
problem, but solutions are elusive. Maybe people get their network up and
simply do not post their solution, I don't know. But, please, Mr. guru,
help!





----- Original Message -----
From: "Ulrich Kohlhase" <Ulrich.Kohlhase at t-online.de>
To: <samba at lists.samba.org>
Sent: Sunday, November 03, 2002 11:25 AM
Subject: [Samba] RE: firewall


> Justin,
>
> > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT
> > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
> > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
>
> Did you specify OUTPUT rules also ? You may want to try the following
> lines taken from a working server config. "keep_state" is a special
> chain for stateful inspection and logging purposes:
>
> -A INPUT   -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j
> ACCEPT
> -A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j
> keep_state
> -A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j
> ACCEPT
> -A INPUT   -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j
> keep_state
> -A INPUT   -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
> -A OUTPUT  -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT
>
> -N keep_state
> -A keep_state -m state --state INVALID -j DROP
> -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
> # debug, info, notice, warning, err, crit, alert und emerg
> -A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG
> --log-level notice --log-prefix "Packets dropped: "
> -A keep_state -j DROP
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list