[Samba] Samba/Firewall issues?
Paul Griffith
paulg at cs.yorku.ca
Tue Sep 27 20:19:47 GMT 2005
Greetings,
I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11
server is also running iptables. In our log.nmbd file we have
noticed the following:
[2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313)
Error connecting to 130.xx.xx.xx (Connection refused)
[2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790)
Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation not
permitted
[2005/09/27 14:07:57, 1] libsmb/cliconnect.c:cli_connect(1313)
Error connecting to 130.xx.xx.xx (No route to host)
[2005/09/27 14:12:51, 1] libsmb/cliconnect.c:cli_connect(1313)
Error connecting to 130.xx.xx.xx (Connection refused)
[2005/09/27 14:23:04, 1] libsmb/cliconnect.c:cli_connect(1313)
A search turned up the following:
http://seclists.org/lists/bugtraq/2001/Mar/0285.html
----------------
Obviously, the netfilter nat code breaks nmap while using the -O flag
or using decoy options. The (sendto in send_tcp_raw: sendto....) error is
a symptom of this. It also breaks other packet shaping utilities such
as hping, etc., so this does not appear to be an nmap problem.
I don't believe the connection tracking portion of netfilter is to
blame in this case. In my tests the connection tracking code, whether it was
loaded as a module or built statically into the kernel, didn't seem to
get in the way. The cause of the 'sendto..' errors seems to be caused
solely by the iptable_nat.o module(which is huge, of course). Once you
load that one, or build it into the kernel, "nmap -O" no
worky. Without it, nmap/hping/everything works just peachy.
Best Regards,
Steve
---------
Now I have removed iptable_nat with rmmod but I am still seeing
errors. For our end users the error shows up as XXXX Domain not found.
Anyone see these errors before ??
Thanks
Paul
More information about the samba
mailing list