[Samba] Samba and firewalling

Fri Dec 14 10:51:46 UTC 2018

Hai, 

And update on this, a reply to myself in the hope someone knows or is able to verify the findings below. 
I've changed my rule sets a bit and i've tracked down the following. 

I notice a pattern. This is a repeat of 1x per hour, exact 1 hour. (+- 1-2 seconds) 

SRC = a AD-DC.
DST = the member 

[UFW AUDIT INVALID] IN=eno1 OUT= SRC=192.168.x.1 DST=192.168.x.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=34298 WINDOW=0 RES=0x00 RST URGP=0
[UFW BLOCK] IN=eno1 OUT= SRC=192.168.x.1 DST=192.168.x.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=34298 WINDOW=0 RES=0x00 RST URGP=0
And this is once every hour and can be any DC. 

I needed to change the dynamic port ranges due some there software im running also. 

# IN to member server
ufw allow in proto tcp from 192.168.x.1 port 389,1024:65535 to any port 1024:65535
ufw allow in proto tcp from 192.168.x.2 port 389,1024:65535 to any port 1024:65535
# Out to DC1
ufw allow out proto udp from any port 1024:65535 to 192.168.x.1 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.x.1 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.x.1 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.x.1 port 53,88,123,389,464,1024:65535
# Out to DC2
ufw allow out proto udp from any port 1024:65535 to 192.168.x.2 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.x.2 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.x.2 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.x.2 port 53,88,123,389,464,1024:65535

# In to Member, Allow fileshare access.
ufw allow in on eno1 proto tcp from 192.168.x.0/24 to any port 139,445
#ufw allow in on eno1 proto udp from 192.168.x.0/24 to any port 137,138

So im my opionion, it might be a normal thing here, i've notice 2 things if you use ufw as firewall. 
Iptables and conntracking and the changing request to/from the DC's are giving the : [UFW AUDIT INVALID] and [UFW BLOCK] 

If you dont use the authentication of samba for a while, and you run : id username. 
You see the same block and a full set of new request to/from AD, without UFW blocking things. 
Which make me think its a normal thing. 

Anyone suggestions opinions on this or can someone verify this asumption? 
I've tested this with iptables (1.6.0+snapshot20161117-6) and (1.8.2-2) and Ufw 0.35-4 and 0.35-6 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: woensdag 5 december 2018 8:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and firewalling
> 
> Hai, well, at least you did an attempt.. 
> 
> No, there are no crypto miner running in the office here. 
> And yes, i know i can set the logging to low to make it 
> disappear, but i would like to know what exact happens.
> 
> I dont understand why, when i use id username i see these 
> firewall lines.
> And id does work, even with these log lines. 
> 
> So im hoping on a next reply but thanks Rowland for the attemp :-) 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: dinsdag 4 december 2018 17:04
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba and firewalling
> > 
> > On Tue, 4 Dec 2018 15:53:29 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > 
> > > Hai, 
> > >  
> > > Just a questions, this might be a bug, might not, but for 
> this one i
> > > need some help. 
> > > Setup, debian 9. 
> > >  
> > > Member server samba 4.9.3
> > > AD DC servers samba 4.8.7 
> > >  
> > > Im setting up the member with a very tight firewall, so nothing
> > > in/our/routed unless its defined. Im using UFW firewall for it. 
> > >  
> > > I notice the following in my member its firewall logs, 
> and this only
> > > happend when i run : id or getent passwd wbinfo -u  ( any wbinfo
> > > command )  no INVALID/BLOCKED in the logs. 
> > > And any other thing thats configured, what im testing, as 
> i see, no
> > > problems at all. Everything works as it should im only not 
> > happy with
> > > the lines UFW AUDIT INVALID and BLOCK. And i cant stand i 
> > cant figure
> > > this out, or at least i'm not sure of. 
> > >  
> > > IP : .100 is the member 
> > > IP: .1 and .2 are DC1 and DC2. 
> > >  
> > > The Log part. 
> > > # The request out to DC2. 
> > > Dec  4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1
> > > SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00 
> PREC=0x00 TTL=64
> > > ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 
> RES=0x00 ACK PSH
> > > URGP=0 Dec  4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN=
> > > OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52 
> TOS=0x00 PREC=0x00
> > > TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00
> > > ACK FIN URGP=0 ## DC2 gets invalid and blocked. Dec  4 14:52:05
> > > kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT=
> > > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST 
> URGP=0 Dec
> > > 4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT=
> > > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 #
> > 
> > I would be more worried about the port: 45690
> > 
> > The only trace I could find is:
> > 
> > AEON
> > stratum+tcp://aeon.pool.minergate.com:45690
> > 
> > The good thing is that your firewall blocked it ;-)
> > 
> > If you don't want those messages in your logs, my 
> > understanding is that
> > replacing this:
> > 
> > ufw logging medium
> > 
> > with this:
> > 
> > ufw logging low
> > 
> > will stop them.
> > 
> > Rowland
> > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 