[Samba] Samba and ufw

Thu Feb 7 14:53:22 UTC 2019

Yes, 

Try this ( copy past-able. ) 

ufw disable
ufw reset
ufw limit 22/tcp
ufw allow in proto tcp from any port 389,1024:65535 to any port 1024:65535
ufw allow 139,445/tcp
ufw allow 137,138/udp
ufw --force enable

Sorry for the late reply, but im bit busy with some servers here. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 7 februari 2019 15:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and ufw
> 
> On Thu, 7 Feb 2019 09:31:41 -0500
> <mmcg29440 at frontier.com> wrote:
> 
> > Rowland,
> > 
> > OK. Should I delete these lines?
> > 
> > diff yours mine
> > 63d62
> > yours# -A ufw-after-logging-output -m limit --limit 3/min
> > --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
> >  85,87d83
> > yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m
> > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix 
> "[UFW AUDIT]
> > " yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m
> > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix 
> "[UFW AUDIT]
> > " yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m
> > limit --limit 3/min --limit-burst 10 -j LOG --log-prefix 
> "[UFW AUDIT]
> > " 92c88
> > 
> --------------------------------------------------------------
> --------------
> > 
> --------------------------------------------------------------
> --------------
> > -------------------------------------------
> > 
> > Edit these lines to be the same as yours
> > 
> > yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit
> > --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT
> > INVALID] " mine# -A ufw-logging-deny -m conntrack --ctstate INVALID
> > -m limit --limit 3/min --limit-burst 10 -j RETURN
> > 108,109c106,107
> > yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport
> > --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
> > yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport
> > --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
> > mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m
> > comment --comment "\'dapp_Samba\'" -j ACCEPT mine# -A ufw-user-input
> > -p tcp -m multiport --dports 139,445 -m comment --comment
> > "\'dapp_Samba\'" -j ACCEPT
> > 
> > 
> > You have a few lines I don't have, I have a line that you do not
> > have, but it is very similar to one of yours and I am allow 
> access to
> > Samba from anywhere, but you are limiting it to '192.168.x.x'
> > 
> > Are the numbers between the lines part of the line above? How do I
> > make the changes?
> 
> You have '-s 192.168.0.0/16', I don't, it means you are only allowing
> connections from 192.168.0.0 to 192.168.255.255, I am 
> allowing them from
> anywhere.
> 
> I am by no means a firewall expert, I just know what works 
> for me. This
> isn't really a Samba problem, it works without the firewall, 
> you really
> need to find a firewall expert, perhaps trying on the Ubuntu mailing
> list might be an idea.
> 
> > 
> > Thanks for your patience. We will resolve this issue yet.
> > 
> 
> I do hope you fix this, but I don't think I can help further 
> with this,
> perhaps Louis has some further thoughts.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 