[Samba] firewalld services to open for an ADDC

Tue Feb 13 16:07:33 UTC 2018

Hai, 

Not complete yet, but functional, tested on debian Stretch.

This is a bit what i use to setup every server.

https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-ufw.sh 

Setup Ufw , in restrictive mode. 
Autodetects the AD DC's. 
Autodetects your mail server if MX is in the dns. 
Enable/disable ipv6 
Enable ping out. 
Restrict logging to ufw. 

More to come, but its a work in progress, depends on which server im working. ;-) 

I'll have a look at the systemd firewall also, looks interesting.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com] 
> Verzonden: dinsdag 13 februari 2018 16:46
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
> 
> On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
> > Hai,
> >
> > If you use that or the AD, then its incomplete, imo.
> > Your missing ldaps (636) and the GC (ssl) 3268/3269) ports 
> and maybe NTP (123/tcp) if installed.
> > Maybe you dont need them, just an observation.
> >
> 
> Oh I see I need to look at the ports in the chart not just the ones
> listed in the example.
> 
> I'll add to my list.
> 
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff
> >> Sadowski via samba
> >> Verzonden: dinsdag 13 februari 2018 16:05
> >> Aan: Marc Muehlfeld
> >> CC: Ing. Luis Felipe Domíngu.
> >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
> >>
> >> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld
> >> <mmuehlfeld at samba.org> wrote:
> >> > Hi Jeff,
> >> >
> >> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba:
> >> >> So my question is what services or ports am I missing to open?
> >> >
> >> > AD DCs:
> >> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
> >>
> >> perfect exactly what I was looking for
> >> I found some docs about firewalld that the service files 
> are kept in
> >> /usr/lib/firewalld/services
> >> so I did
> >> [root at dc1 ~]# grep -e 139 -e 88 -e 445
> >> /usr/lib/firewalld/services/*.xml
> >> /usr/lib/firewalld/services/freeipa-ldaps.xml:  <port
> >> protocol="tcp" port="88"/>
> >> /usr/lib/firewalld/services/freeipa-ldaps.xml:  <port
> >> protocol="udp" port="88"/>
> >> /usr/lib/firewalld/services/freeipa-ldap.xml:  <port
> >> protocol="tcp" port="88"/>
> >> /usr/lib/firewalld/services/freeipa-ldap.xml:  <port
> >> protocol="udp" port="88"/>
> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port 
> protocol="tcp"
> >> port="138-139"/>
> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port 
> protocol="udp"
> >> port="138-139"/>
> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port 
> protocol="tcp"
> >> port="445"/>
> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port 
> protocol="udp"
> >> port="445"/>
> >> /usr/lib/firewalld/services/kerberos.xml:  <port
> >> protocol="tcp" port="88"/>
> >> /usr/lib/firewalld/services/kerberos.xml:  <port
> >> protocol="udp" port="88"/>
> >> /usr/lib/firewalld/services/samba.xml:  <port protocol="tcp"
> >> port="139"/>
> >> /usr/lib/firewalld/services/samba.xml:  <port protocol="tcp"
> >> port="445"/>
> >> so by adding
> >>
> >> firewall-cmd --add-service=dns --permanent
> >> firewall-cmd --add-service=samba --permanent
> >> firewall-cmd --add-service=kerberos --permanent
> >> firewall-cmd --reload
> >>
> >> I should have all the ports I need.
> >> Thank you.
> >>
> >> >
> >> > Domain members:
> >> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage
> >> >
> >> >
> >> > Regards,
> >> > Marc
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 