[Samba] Samba 3, Ubuntu 10, NAT, and firewall rules

Karen Swarth karen.swarth at gmail.com
Fri Feb 24 09:39:58 MST 2012


I'm setting up a Samba 3 server on Ubuntu 10.   The server
will have five  local shares, which it will provide to the local
network (let's call that network 1.2.3.0/24).  The samba server is
a slave to the local Windows  AD domain -- that is, the samba server
does not do its own authentication but just passes along such requests
to one of several local domain controllers that actually deal with them.

I'm not the admin of those domain controllers; I know almost
nothing about running Windows systems.

The samba server is located on a firewalled and NAT'd network
inside the local environment.  That is, it has a public address
(let's call it 1.2.3.55) that's visible outside, while inside,
it really lives at something like 192.168.0.8.  NAT is confirmed
working at this point via tcpdump on both sides.

I'm trying to ascertain the necessary-and-sufficient set of firewall
rules for this samba server.  So far I've come up with this:

Bidirectional:

netbios-ns (port 137, UDP) to/from the local network
netbios-dgm (port 138, UDP) to/from the local network
netbios-ssn  (port 139, TCP) to/from the local network
microsoft-ds (port 445, TCP) to/from the local network

Outbound only:

DNS (port 53, TCP and UDP) to DNS servers on local network
NTP (port 123, TCP and UDP) to NTP servers on the local network
LDAP (port 389, TCP and UDP) to hosts on the local network
Kerberos (port 88, TCP and UDP) to hosts on the local network

Inbound-only:

SSH from the local network, of course. ;-)


First, I suppose I should ask if there are any glaring omissions
or inclusions.

Second, I suspect that these rules are overly permissive in that,
for example, I need only permit outbound LDAP to the domain
controllers on the local network, and not to other hosts such
as samba client systems.  I also suspect that my major lack
of clue with all things Windows means that some of the things
I've listed as "bidirectional" don't need to be.

I'd like to make these rules are tight as possible without
breaking anything, so I'd be grateful for any guidance, especially
if it involves pointing out my mistakes.


More information about the samba mailing list