[Samba] Samba 4 DC Firewall settings
Ricky Nance
ricky.nance at weaubleau.k12.mo.us
Mon Mar 25 22:37:58 MDT 2013
I think 1024 is used for replication between DC's, and since its above the
1024 range, it will jump ports if needed.
Ricky
On Mon, Mar 25, 2013 at 10:22 PM, steve <steve at steve-ss.com> wrote:
> On 24/03/13 15:17, Thomas Simmons wrote:
>
>>
>>> On Mar 24, 2013 7:04 AM, "steve" <steve at steve-ss.com> wrote:
>>>
>>> Samba 4.0.4 on openSUSE 12.3
>>>> Hi everyone.
>>>>
>>>> Does anyone have a list of ports which have to be open to allow full DC
>>>> operation?
>>>>
>>>> I'm no expert in firewalls and only have Yast at my disposal to
>>>> configure
>>>> it. I've tried opening samba server and DNS server ports via Yast but I
>>>> must be missing something because I have to turn off the firewall to
>>>> e.g.
>>>> join a Windows client to the domain. Maybe Yast isn't the right tool?
>>>>
>>>> Cheers,
>>>> Steve
>>>>
>>>
>>> Hello Steve,
>>
>> I have the following exceptions. Most of this came from netstat and
>> monitoring traffic. A few were picked up in Microsoft documentation,
>> though
>> I've not seen my DC actually use them. Take special note of the last
>> entry.
>> It is my understanding that Samba4 uses 1024 by default, however if that
>> port is not available it will use 1025, 1026, etc until it finds an open
>> port.
>>
>> iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP
>> iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP)
>> iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS
>> iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP)
>> iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP)
>> iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP)
>> iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP)
>> iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP)
>> iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP)
>> iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC
>> iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service
>> iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service
>> iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service
>> iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service
>> iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog
>> iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is
>> not static*
>>
> Hi Thomas
> Thanks. I've now got traffic through to the DC with the firewall
> activated. The only thing I'm not sure of is the 1024. I have it set but in
> (a few brief) tests, I've not seen wireshark mention it.
> Cheers,
> Steve
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
--
More information about the samba
mailing list