[Samba] Samba/Firewall issues?

Paul Griffith paulg at cs.yorku.ca
Tue Sep 27 20:19:47 GMT 2005


Greetings,

I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11
server is also running iptables. In our log.nmbd file we have
noticed the following:

[2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313)
  Error connecting to 130.xx.xx.xx (Connection refused)
[2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790)
  Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation not
  permitted

[2005/09/27 14:07:57, 1] libsmb/cliconnect.c:cli_connect(1313)
  Error connecting to 130.xx.xx.xx (No route to host)
[2005/09/27 14:12:51, 1] libsmb/cliconnect.c:cli_connect(1313)
  Error connecting to 130.xx.xx.xx (Connection refused)
[2005/09/27 14:23:04, 1] libsmb/cliconnect.c:cli_connect(1313)
 
A search turned up the following:
http://seclists.org/lists/bugtraq/2001/Mar/0285.html
----------------
Obviously, the netfilter nat code breaks nmap while using the -O flag
or using decoy options. The (sendto in send_tcp_raw: sendto....) error is 
a symptom of this. It also breaks other packet shaping utilities such 
as hping, etc., so this does not appear to be an nmap problem. 


I don't believe the connection tracking portion of netfilter is to
blame in this case. In my tests the connection tracking code, whether it was 
loaded as a module or built statically into the kernel, didn't seem to 
get in the way. The cause of the 'sendto..' errors seems to be caused 
solely by the iptable_nat.o module(which is huge, of course). Once you 
load that one, or build it into the kernel, "nmap -O" no
worky. Without it, nmap/hping/everything works just peachy. 


Best Regards, 
Steve
---------

Now I have removed iptable_nat with rmmod but I am still seeing
errors. For our end users the error shows up as XXXX Domain not found.

Anyone see these errors before ??

Thanks
Paul



More information about the samba mailing list