[Samba] Samba and ufw

L. van Belle belle at samba.org
Thu Feb 7 16:04:40 UTC 2019


Hai, 


A more complete mail, but Marty, please run the commands first.(see: **
below ) 
Then we can determin whats exact going on. 
This must be done first to make sure no old rules are causing the problem
thats why the reset. 

I removed the ip ranges in that mail because, we dont know your lan range,
so change ipnumers to your lan range if needed/where needed.

When these below work, then we can restrict it more. 

** Test with these. 
ufw disable
ufw reset
ufw limit 22/tcp
ufw allow in proto tcp from any port 389,1024:1300,49152:65535 to any port
1024:1300,49152:65535
ufw allow 139,445/tcp
ufw allow 137,138/udp
ufw --force enable
**

For example:
# allow a DC connection
# ufw allow in proto tcp from IP_DC port 389,1024:1300,49152:65535 to
IP_MEMBER port 1024:1300,49152:65535

# in on interace from ... 
ufw allow in on eno1 proto tcp from any port 389,1024:1300,49152:65535 to
any port 1024:1300,49152:65535

I deny all in/out/routed traffic, if you allow outgoing (type: ufw allow
outgoing thats the default), 
then only the IN lines are sufficient ofcourse.

Setting : ufw logging high or medium shows a lot more in the logs, syslog
and/or /var/log/ufw.log 
if enabled in /etc/rsyslog.d/20-ufw.conf 
I've enabled : & stop because i preffer my firewall logs in only
/var/log/ufw.log

If you testing Marty, set ufw logging medium

##  These are my latest tested and working/production rules. ##

Setup is, define the AD-DC servers IP's  and allow all ips on the member
servers. 

I've done that so the ipnumbers of the members running this, are changeable,

without the need of changing the firewall. 

Something for you to play with.  ;-) and the order here DOES matter a lot.

Ips : 192.168.0.1 and 192.168.0.2 are my example ipnumbers of the DC's. 

Example. 
ufw allow 137,138 
ufw allow 137,138/udp
ufw allow in on INTERFACE proto PROTOCOL from (any = 0.0.0.0/0) to (any =
0.0.0.0/0) port PORTNR

If you trust you lan, it just that i dont trust anything and best is to
ignore that im doing that for now.  ;-)

# Allow everything from you lang to you server. 
ufw allow in from LAN_RANGE/24

Or with multple interfaces
# Allow  on INTERFACE everything from you lan to you server
ufw allow in on INTERFACE from LAN_RANGE/24 


# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
# IN From Samba AD-DC (2dc's setup) to member   ( allows samba before 4.7) 
ufw allow in proto tcp from 192.168.0.1 port 389,1024:1300 to any port
1024:1300
ufw allow in proto tcp from 192.168.0.2 port 389,1024:1300 to any port
1024:1300

# IN From Samba AD-DC (2dc's) to member  ( allows samba 4.7+) 
ufw allow in proto tcp from 192.168.0.1 port 389,49152:65535 to any port
49152:65535
ufw allow in proto tcp from 192.168.0.2 port 389,49152:65535 to any port
49152:65535

# OUT From member1 to DC1
ufw allow out proto udp from any port 1024:65535 to 192.168.0.1 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.0.1 port
135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:1300,49152:65535 to
192.168.0.1 port 53,88,123,389,464,1024:1300,49152:65535
ufw allow out proto tcp from any port 53,1024:1300,49152:65535 to
192.168.0.1 port 53,88,123,389,464,1024:1300,49152:65535

# OUT From member1 to DC2
ufw allow out proto udp from any port 1024:1300,49152:65535 to 192.168.0.2
port 137,138
ufw allow out proto tcp from any port 1024:1300,49152:65535 to 192.168.0.2
port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:1300,49152:65535 to
192.168.0.2 port 53,88,123,389,464,1024:1300,49152:65535
ufw allow out proto tcp from any port 53,1024:1300,49152:65535 to
192.168.0.2 port 53,88,123,389,464,1024:1300,49152:65535

# https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage
# IN on INTERACE (eno1) From Lan TO this domain member/file server
ufw allow in on eno1 proto tcp from 192.168.0.0/24 to any port 139,445
comment 'Allow in on eno1 port 139,445 (CIFS)'
ufw allow in on eno1 proto udp from 192.168.0.0/24 to any port 137,138
comment 'Allow in on eno1 port 137,138 (BROWSER)'

Back to my horrible openoffice online ... Crapy documentation. 
Need to integrate it in my mail env and its a hard one. 
Prepairing to drop ms office completely. Whoehoo.. 

Good luck, i'll have look in the mailbox tomorrow again. 


Greetz. 

Louis

Ps. There might be some typos above this line, so test carefully. 
And after a reset, your first line to enter is ALWAYS .. Allow ssh access...






More information about the samba mailing list