[Samba] Samba and ufw

[mmcg29440 at frontier.com]

Rowland,

OK. Should I delete these lines?

diff yours mine
63d62
yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10
-j LOG --log-prefix "[UFW ALLOW] "
 85,87d83
yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
 92c88
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------------------------------------------

Edit these lines to be the same as yours

yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j RETURN
108,109c106,107
yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports
137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A
ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m
comment --comment "\'dapp_Samba\'" -j ACCEPT
mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment
--comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m
multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT


You have a few lines I don't have, I have a line that you do not have, but
it is very similar to one of yours and I am allow access to Samba from
anywhere, but you are limiting it to '192.168.x.x'

Are the numbers between the lines part of the line above? How do I make the
changes?

Thanks for your patience. We will resolve this issue yet.

Regards,
Marty

-----Original Message-----
From: Rowland Penny <rpenny at samba.org> 
Sent: Thursday, February 7, 2019 3:38 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba and ufw

On Wed, 6 Feb 2019 16:05:40 -0500
Martin McGlensey via samba <samba at lists.samba.org> wrote:

> Rowland,
> 
> Did some editing in smb.conf that I had to reverse. Now I'm back to 
> being able to connect with the firewall disabled. When I enable the 
> firewall I get as far as windows network -> workgroup but no 
> connection. I have only the rules you recommended in your last email.
> 

Running 'diff' against your rules and mine produces this:

diff yours mine
63d62
yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10
-j LOG --log-prefix "[UFW ALLOW] "
85,87d83
yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
92c88
yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
---
mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit
3/min --limit-burst 10 -j RETURN
108,109c106,107
yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports
137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT yours# -A
ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m
comment --comment "\'dapp_Samba\'" -j ACCEPT
---
mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment
--comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input -p tcp -m
multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT

You have a few lines I don't have, I have a line that you do not have, but
it is very similar to one of yours and I am allow access to Samba from
anywhere, but you are limiting it to '192.168.x.x'

Rowland