[Samba] Problems with firewalls and samba.

Göran Höglund goran.hoglund at telemar.se
Wed May 7 08:44:55 GMT 2003 

Hi list,
I have a delicate problem with my groupserver running Solaris 8 and
samaba 2.2.7a.

On the same net that the server resides lets call it 192.168.0.X there
is no problem with smb access from any client unix or winXP. But from an
other net divided from the internal by an ip-filter based fw lets call
that other net 192.168.1.X the packages seems to pass our server
completlly.

When I sniff on my internel net as well as the external I can see
packages pass through the FW.
The rules in this FW is set to quote:
# allow samba fom dmz to smb-server
pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port =
135 keep state
pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port =
137 keep state
pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port =
138 keep state
pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port =
139 keep state
pass in log quick on le0 proto tcp from any to 192.168.1.123/32 port =
445 keep state

pass in log quick on le0 proto udp from any to 192.168.1.123/32 port =
135 keep state
pass in log quick on le0 proto udp from any to 192.168.1.123/32 port =
137 keep state
pass in log quick on le0 proto udp from any to 192.168.1.123/32 port =
138 keep state
pass in log quick on le0 proto udp from any to 192.168.1.123/32 port =
139 keep state
pass in log quick on le0 proto udp from any to 192.168.1.123/32 port =
445 keep state
Unquote

To make the problem a little bit more delicate, the clients on the DMZ
is passing through an other FW from Check point using their VPN client
software securemote. The clients show up with the IP address supplyed by
their respective ISP. They have no problem to access the POP3/IMAP
server on the same host as the smb-server. They can also access the Web
server as well. 

In my smb.conf I have set following:
Workgroup = MYOFFICE
Netbio name = GROUPSERVER
security = user
encrypt passwords = Yes
domain master = yes
socket address = 192.168.0.123
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Göran

More information about the samba mailing list