[Samba] Samba and ufw

Rowland Penny rpenny at samba.org
Thu Feb 7 14:47:32 UTC 2019 

On Thu, 7 Feb 2019 09:31:41 -0500
<mmcg29440 at frontier.com> wrote:

> Rowland,
> 
> OK. Should I delete these lines?
> 
> diff yours mine
> 63d62
> yours# -A ufw-after-logging-output -m limit --limit 3/min
> --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
>  85,87d83
> yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m
> limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT]
> " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m
> limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT]
> " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m
> limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT]
> " 92c88
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> -------------------------------------------
> 
> Edit these lines to be the same as yours
> 
> yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit
> --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT
> INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID
> -m limit --limit 3/min --limit-burst 10 -j RETURN
> 108,109c106,107
> yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport
> --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
> yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport
> --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
> mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m
> comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input
> -p tcp -m multiport --dports 139,445 -m comment --comment
> "\'dapp_Samba\'" -j ACCEPT
> 
> 
> You have a few lines I don't have, I have a line that you do not
> have, but it is very similar to one of yours and I am allow access to
> Samba from anywhere, but you are limiting it to '192.168.x.x'
> 
> Are the numbers between the lines part of the line above? How do I
> make the changes?

You have '-s 192.168.0.0/16', I don't, it means you are only allowing
connections from 192.168.0.0 to 192.168.255.255, I am allowing them from
anywhere.

I am by no means a firewall expert, I just know what works for me. This
isn't really a Samba problem, it works without the firewall, you really
need to find a firewall expert, perhaps trying on the Ubuntu mailing
list might be an idea.

> 
> Thanks for your patience. We will resolve this issue yet.
> 

I do hope you fix this, but I don't think I can help further with this,
perhaps Louis has some further thoughts.

Rowland

More information about the samba mailing list