[Samba] Samba AD firewalld services

Robert Moskowitz rgm at htt-consult.com
Thu Aug 27 13:25:40 UTC 2015


On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:
> After reading this thread.. and ..seeing the comments..
> I googled a bit around. and yes.. more then 5 sec..  ;-)
> I wonder why almost every "centos/redhat/rpm based" howto removes firewalld with the base iptables service
> now, i'm not "pro" systemd or con systemd, i use it but i set my firewall with ufw,
> which is much more flexable in my opinion.
> I just dont care about how it starts.. as long as it works..
> so i found this one..
> http://www.certdepot.net/rhel7-get-started-firewalld/
> looks very nice, it explains all.
> base on that, howto create a "samba4-ad" service with multiple ports in it.
> or better, split it up in to..
> samba4-kerberos
> samba4-smbd
> samba4-nmbd
> etc..

I have looked at the actual /usr/lib/firewalld/services xml files and 
find that I should use:

samba kerberos kpasswd dns ldap ldaps

And need to create services for tcp ports 135 (rpc) and 3268 (MS Global 
Catalog), or just do those as ports.

Still to be worked out are:

what about ldap and ldaps over udp?  And do I need a rule for port 1024?


> The only thing i cant see there in the "HAProxy example" is you can
> add multiple "port / protools" in there.
> thats up to you.
> but i think you wil manage that.
> .. side note..
> Firewalling is not really a samba topic.. but we are all (yes Rowland to) happy to help you..
> ;-)  Rowland is just not a "fan" of systemd..  ROFL...
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair
>> Verzonden: donderdag 27 augustus 2015 14:01
>> Aan: Robert Moskowitz
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba AD firewalld services
>> The services and their port numbers and protocols are defined in
>> /etc/services. You should be able to use that file to map from
>> port numbers
>> to services if you want to use the service names instead. This is not
>> something new with firewalld, iptables has had this option
>> forever as well.
>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz
>> <rgm at htt-consult.com>
>> wrote:
>>> Now with firewalld, opening up ports is now 'better' done by opening
>>> services.  So what do I need, for starters it seems:
>>> dns, dhcp, dhcpv6, samba, kerberos
>>> Here is the list of services:
>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6
>>> dhcpv6-client dns
>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos
>>> kpasswd ldap
>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp
>> openvpn pmcd
>>> pmproxy
>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba
>>> samba-client
>>> smtp ssh telnet tftp tftp-client transmission-client
>> vnc-server wbem-https
>>> I will only be running one AD, but a number of file servers (which in
>>> Samba4 are really DCs without some services?) .
>>> thanks
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list