[Samba] Firewall piercing - The Specified network name is no longer available.

JLB jlb at twu.net
Wed Feb 9 14:58:09 GMT 2005


On Wed, 9 Feb 2005, Paul Gienger wrote:

> Date: Wed, 09 Feb 2005 08:54:57 -0600
> From: Paul Gienger <pgienger at ae-solutions.com>
> To: JLB <jlb at twu.net>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Firewall piercing - The Specified network name is no
>     longer available.
>
>
> >I'm trying to set up one of my Unix machines at home so I can access my
> >stuff there via SMB from the Internet at large (read: from Windows-using
> >clients').
> >
> >
> Are you saying that you're trying to allow access from 'random internet
> user'(which is probably you) directly to your samba machine?   You will
> have problems with this if it is what you're doing.
>
> 1. because you may have a default filter on your firewalls that block it
> from traversing, although I think most sane manufacturers took this rule
> off now

I already poked and prodded at all such filters. They seem off now.

> 2. because your ISP probably blocks/filters those ports.

They don't.

> 3. because it's a Bad Thing (TM)(R)(C)

The chance of any random joker stumbling upon a dynamically allocated IP
and h4x0ring into a password-protected share on a SPARC64 machine running
OpenBSD with a recent version of Samba is ....

....slim.

>
> Spend a little time and set up a vpn endpoint on your box and just
> forward the necessary ports over, i think openvpn is 5000.  You'll be
> much happier, sane, and protected as such.

And I will make use of this on client machines with strict "Thou Shalt Not
Install any Unauthorized Software" policies... how?

I've already set up zero-install Web-based telnet, zero-install Web-based
MP3 players... I even concocted a zero-install CygWin workalike and
keep it on my keychain USB drive... now I need a zero-install way to
access my files via Windows machines. And that means SMB. NOT OpenVPN,
OpenSSH, OpenVMS or any other "Open".

>
> >I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by
> >Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway
> >device.
> >
> >I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445.
> >Only port 139 actually responds to TCP connections (well, only port 139
> >accepts a telnet, even from localhost.
> >
> >See:
> >
> >--------------------------------------------------------------------------
> >-bash-2.05b# telnet localhost 137
> >Trying ::1...
> >telnet: connect to address ::1: Connection refused
> >Trying 127.0.0.1...
> >telnet: connect to address 127.0.0.1: Connection refused
> >-bash-2.05b# telnet localhost 138
> >Trying ::1...
> >telnet: connect to address ::1: Connection refused
> >Trying 127.0.0.1...
> >telnet: connect to address 127.0.0.1: Connection refused
> >-bash-2.05b# telnet localhost 139
> >Trying ::1...
> >telnet: connect to address ::1: Connection refused
> >Trying 127.0.0.1...
> >Connected to localhost.
> >Escape character is '^]'.
> >^]
> >telnet> close
> >Connection closed.
> >-bash-2.05b# telnet localhost 445
> >Trying ::1...
> >telnet: connect to address ::1: Connection refused
> >Trying 127.0.0.1...
> >telnet: connect to address 127.0.0.1: Connection refused
> >--------------------------------------------------------------------------
> >
> >It should go without saying that this machine's Samba shares work
> >PERFECTLY WELL within the LAN. ;)
> >
> >Now, from the outside, I can telnet to port 139 on the machine just fine,
> >through both NAT devices. However, when I go Start, Run,
> >\\x.y.z.a\sharename (where "x.y.z.a" is the IP address-- not the FQDN-- of
> >the machine), Windows vomits up this unhelpful message:
> >
> >
> >--------------------------------------------------
> >\\x.y.z.a\sharename
> >The specified network name is no longer available.
> >--------------------------------------------------
> >
> >See:
> >
> >http://jlb.twu.net/tmp/unhelpful.png
> >
> >Any ideas? The client machine runs Windows 2000 Pro.
> >
> >--
> >J. L. Blank, Systems Administrator, twu.net
> >
> >
>
> --
> --
> Paul Gienger                    Office: 701-281-1884
> Applied Engineering Inc.
> Systems Architect               Fax:    701-281-1322
> URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com
>
>
>

--
J. L. Blank, Systems Administrator, twu.net


More information about the samba mailing list