[Samba] Samba and ufw
mmcg29440 at frontier.com
mmcg29440 at frontier.com
Thu Feb 7 14:31:41 UTC 2019
Rowland,
OK. Should I delete these lines?
diff yours mine
63d62
yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10
-j LOG --log-prefix "[UFW ALLOW] "
85,87d83
yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
92c88
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------------------------------------------
Edit these lines to be the same as yours
yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j RETURN
108,109c106,107
yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports
137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A
ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m
comment --comment "\'dapp_Samba\'" -j ACCEPT
mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment
--comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m
multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
You have a few lines I don't have, I have a line that you do not have, but
it is very similar to one of yours and I am allow access to Samba from
anywhere, but you are limiting it to '192.168.x.x'
Are the numbers between the lines part of the line above? How do I make the
changes?
Thanks for your patience. We will resolve this issue yet.
Regards,
Marty
-----Original Message-----
From: Rowland Penny <rpenny at samba.org>
Sent: Thursday, February 7, 2019 3:38 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba and ufw
On Wed, 6 Feb 2019 16:05:40 -0500
Martin McGlensey via samba <samba at lists.samba.org> wrote:
> Rowland,
>
> Did some editing in smb.conf that I had to reverse. Now I'm back to
> being able to connect with the firewall disabled. When I enable the
> firewall I get as far as windows network -> workgroup but no
> connection. I have only the rules you recommended in your last email.
>
Running 'diff' against your rules and mine produces this:
diff yours mine
63d62
yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10
-j LOG --log-prefix "[UFW ALLOW] "
85,87d83
yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
92c88
yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
---
mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j RETURN
108,109c106,107
yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports
137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A
ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m
comment --comment "\'dapp_Samba\'" -j ACCEPT
---
mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment
--comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m
multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
You have a few lines I don't have, I have a line that you do not have, but
it is very similar to one of yours and I am allow access to Samba from
anywhere, but you are limiting it to '192.168.x.x'
Rowland
More information about the samba
mailing list