[Samba] Samba and firewalling

L.P.H. van Belle belle at bazuin.nl
Tue Dec 4 14:53:29 UTC 2018 

Hai, 
 
Just a questions, this might be a bug, might not, but for this one i need some help. 
 
Setup, debian 9. 
 
Member server samba 4.9.3
AD DC servers samba 4.8.7 
 
Im setting up the member with a very tight firewall, so nothing in/our/routed unless its defined. 
Im using UFW firewall for it. 
 
I notice the following in my member its firewall logs, and this only happend when i run : id or getent passwd 
wbinfo -u  ( any wbinfo command )  no INVALID/BLOCKED in the logs. 
 
And any other thing thats configured, what im testing, as i see, no problems at all. 
Everything works as it should im only not happy with the lines UFW AUDIT INVALID and BLOCK. 
And i cant stand i cant figure this out, or at least i'm not sure of. 
 
 
IP : .100 is the member 
IP: .1 and .2 are DC1 and DC2. 
 
The Log part. 
# The request out to DC2. 
Dec  4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00 PREC=0x00 TTL=64 ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00 ACK PSH URGP=0
Dec  4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00 ACK FIN URGP=0
 
## DC2 gets invalid and blocked. 
Dec  4 14:52:05 kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT= SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
Dec  4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT= SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
 
# Then a few dns requests
Dec  4 14:52:05 kernel: [969364.265380] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=59751 DF PROTO=UDP SPT=43064 DPT=53 LEN=53
Dec  4 14:52:05 kernel: [969364.265395] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=59752 DF PROTO=UDP SPT=43064 DPT=53 LEN=53
 
# And here DC2 is allowed again. 
Dec  4 14:52:05 kernel: [969364.268283] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49466 DF PROTO=TCP SPT=45728 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0
# 
Dec  4 14:52:05 kernel: [969364.278947] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=59754 DF PROTO=UDP SPT=39163 DPT=53 LEN=60
Dec  4 14:52:05 kernel: [969364.283905] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=59755 DF PROTO=UDP SPT=45775 DPT=53 LEN=53
Dec  4 14:52:05 kernel: [969364.283916] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=59756 DF PROTO=UDP SPT=45775 DPT=53 LEN=53
Dec  4 14:52:05 kernel: [969364.285945] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=191 TOS=0x00 PREC=0x00 TTL=64 ID=2165 DF PROTO=UDP SPT=38445 DPT=88 LEN=171
Dec  4 14:52:05 kernel: [969364.318061] [UFW AUDIT] IN= OUT=eno1 SRC=192.168.0.100 DST=192.168.0.1 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=59759 DF PROTO=UDP SPT=58533 DPT=53 LEN=60

Im already tried allowing the Dynamic ranges : 1024:65535 for my lan. 
I dont get/see why im getting first the DC request in ( top 2 lines), then the invallid and block, and then its allowed. 
 
At first i was thinking,  its SPT=389 DPT=45690  in the UFW AUDIT INVALID line.  DPT ( destination port ) 45690, was outside the ranges shown on the wiki. 
so i allowed the full range 1024-65535 for the lan.
 
The setup i need/want in the member server is the following. 
I'm allowing only IN-OUT whats needed.  mbd and winbind are running for the member server, because it does need a few shares to be accessed and i need the authentication there. 
 
All other parts im using are already in the firewall and working without problems. 
This is the ufw firewall, at least a part of, im using, its a new concept im working on for my mailserver. 
If anyone can explain to my why i still have these INVALID/BLOCK messages when i use : id username   of have any improvements, I'm very greatfull to hear it
 
the only thing i could think off are 3 things. 
1) ufw its rules : 
LOG        all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
so just getting blocked doe to rate limiting. 
 
2) samba is using wrong dynamic ports.
 
3) You tell me, i dont know. :-( 
 
 
The firewall setup: 
 
# Restricted firewall with UFW. 
# LAN = 192.168.0.0/24 
# MEMBER ip : .100 
# AD DC's. .1 and .2 
# 
# First allow ssh, so you dont get locked out. 
# You might want to use `ufw limit 22` first. 
ufw limit in on eno1 proto tcp from 192.168.0.0/24 to 192.168.0.100 port 22 comment 'Limit SSH IN from  lan (22/tcp)'
ufw allow out on eno1 proto tcp from 192.168.0.100 to 192.168.0.0/24 port 22 comment 'Allow SSH OUT to lan (22/tcp)'
 
ufw default deny incoming
ufw default deny outgoing
ufw default deny routed
ufw logging medium
 
# needed for apt install/update/upgrades
ufw allow out on eno1 proto tcp from 192.168.0.100 to any port 21,80,443 comment 'Allow out ftp/http/https to any (21,80,443/tcp)'
 
# needed for nfs
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 111 comment 'Allow out NFS to lan (111)(RPC required only by NFSV3)'
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 2049 comment 'Allow out NFS to lan (2049)(NFSV4 and/or NFSV3)'
 
# Local webserver. 
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to any port 80 comment 'Allow in on interface to Web ports (lan 80/tcp)'
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to any port 443 comment 'Allow in on interface to Web ports (lan 443/tcp)'
 
# Samba (MEMBER, with shares)
# Allow in.
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to 192.168.0.100 port 49152:65535 comment 'Allow in from lan to Dynamic RPC Ports (port 49152:65535/tcp)'
ufw allow in on eno1 proto udp from 192.168.0.0/24 to 192.168.0.100 port 49152:65535 comment 'Allow in from lan to Dynamic RPC Ports (port 49152:65535/udp)'
ufw allow in on eno1 proto udp from 192.168.0.0/24 to 192.168.0.100 port 137 comment 'Allow in from LAN to NetBIOS Name Service (port 137/udp)'
ufw allow in on eno1 proto udp from 192.168.0.0/24 to 192.168.0.100 port 138 comment 'Allow in from LAN to NetBIOS Datagram (port 138/udp)'
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to 192.168.0.100 port 139 comment 'Allow in from LAN to NetBIOS Session(NBT over ip) (port 139/tcp)'
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to 192.168.0.100 port 445 comment 'Allow in from LAN to SMB over TCP (445/tcp)'
 
# Allow out 
ufw allow out on eno1 proto tcp from 192.168.0.100 port 445 to 192.168.0.0/24 port 49152:65535 comment 'Allow in from SMB over TCP to Dynamic RPC Ports (port 49152:65535/tcp)'
 
# Samba (Member, OUT:  AD DC requests (via interface to LAN))
ufw allow out on eno1 proto udp from 192.168.0.100 to 192.168.0.0/24 port 123 comment 'Allow out to LAN (port 123/udp)'
ufw allow out on eno1 from 192.168.0.100 to any port 53 comment 'Allow out to any DNS (due to spamassassin) (port 53)'
ufw allow out on eno1 proto tcp from 192.168.0.100 to 192.168.0.0/24 port 445 comment 'Allow out to LAN SMB over TCP (445/tcp)'
ufw allow out on eno1 proto tcp from 192.168.0.100 to 192.168.0.0/24 port 135 comment 'Allow out to LAN DCE/RPC Locator Service (port 135/tcp)'
ufw allow out on eno1 proto tcp from 192.168.0.100 to 192.168.0.0/24 port 389 comment 'Allow out to LAN (port 389/tcp)'
ufw allow out on eno1 proto udp from 192.168.0.100 to 192.168.0.0/24 port 389 comment 'Allow out to LAN (port 389/udp)'
ufw allow out on eno1 proto tcp from 192.168.0.100 to 192.168.0.0/24 port 636 comment 'Allow out to LAN (port 636/tcp)'
ufw allow out on eno1 proto udp from 192.168.0.100 to 192.168.0.0/24 port 636 comment 'Allow out to LAN (port 636/udp)'
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 88 comment 'Allow out to LAN (AD-DC) Kerberos (port 88)'
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 464 comment 'Allow out to LAN (AD-DC) Kerberos kpasswd (port 464)'
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 3268 comment 'Allow out to LAN (AD-DC) GC (non-ssl) (port 3268)'
ufw allow out on eno1 from 192.168.0.100 to 192.168.0.0/24 port 3269 comment 'Allow in from LAN (AD-DC) GC (ssl) (port 3269)'

 
Sources i've used:
https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage 
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage   
States : The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. 
To manually set the port range in Samba 4.7 and later, set the rpc server port parameter in your smb.conf file. 
 
And man ufw 
 
So anyone suggestions, tips, improvements? Or is above explained in riddles ?  
The question is: why do i see : UFW AUDIT INVALID and BLOCK in my firewall logs when i use : id username. 
 
 
Greetz, 
 
Louis

More information about the samba mailing list