[Samba] ,Re: Samba and ufw
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 11 10:25:33 UTC 2019
Hi Martin,
> -----Oorspronkelijk bericht-----
> Van: Martin McGlensey [mailto:mmcg29440 at frontier.com]
> Verzonden: maandag 11 februari 2019 1:06
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: ,Re: [Samba] Samba and ufw
>
> Louis,
>
> Tried the rules you suggested:
>
> These work. I think that rules out any Windows problems.
> ufw insert 1 allow in on enp2s5 from 192.168.254.15 to 192.168.254.39
> ufw insert 2 allow in on enp2s5 from 192.168.254.39 to 192.168.254.15
If these work, then correct, not a windows OR samba problem thats 100% sure.
Pure firewall problem.
>
> These do not work.
> ufw insert 1 allow in on enp2s5 proto tcp from
> 192.168.254.0/24 to 192.168.254.39 port 139,445
> ufw insert 2 allow in on enp2s5 proto udp from
> 192.168.254.0/24 to 192.168.254.39 port 137,138
>
> Adding these does not work as well.
> ufw insert 1 allow in on enp2s5 proto tcp from
> 192.168.254.0/24 to 192.168.254.39 port 1024:1300,49152:65535
> ufw insert 1 allow in on enp2s5 proto tcp from 192.168.254.39
> to 192.168.254.0/24 port 1024:1300,49152:65535
>
> No problem logging on with the firewall disabled or when
> enabled with the first two rules.
So then theses are the problem for sure.
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[UFW ALLOW] "
And
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
>
> Tried adding port 135 mentioned in an internet search. No change.
>
> Last part of /var/log/ufw.log:
> ..... (removed)...
>
> martin at radio:~$
>
> Are we missing a port or protocol?
No, somehow your firewall rules dont match up.
>
> Regards,
> Marty
>
I've checked my ubuntu 18.04 server, and 4 debian servers, and non of these have these limit lines shown above.
I'm really wondering where these are coming from and all my servers run ufw ( none gufw )
What i would do no in this case, cleanup and start over, or you keep hitting problems in the future.
Stop Disable ufw : ufw stop && ufw disable
Remove and purge ufw gufw : apt-get remove --purge ufw gufw
Check if there are any rules left. : iptables --list-rules
Reboot
Check if there are any rules left. : iptables --list-rules
If some things appear now, then something is loading rules, if thats the case then we need to find that.
If its clean, you should see only this :
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Now, install mlocate : apt install mlocate or use find, whatever you preffer.
Run : updatedb && locate ufw
Find any leftovers of ufw in :
/etc/ufw/
/lib/ufw/
When its really clean, install ufw again.
Only run :
ufw allow 22 comment "Manual NMBD"
ufw allow 137,138/udp comment "Manual NMBD
ufw allow 139,445/tcp comment "Manual CIFS/SMBD"
Try again. (nmbd) is not really needed, but he, lets fix it, you can disable it later on if needed.
Not working, what if you add this to /etc/ufw/after.rules
At the top, after the first filter its commit
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT
Now we are only talking here about NMBD 137, what is showing blocks in the logs.
But you dont need 137/138 all get access to the share.
Last, if you run : systemctl status firewalld
Any output? Or firewall-cmd --state ?
Greetz,
Louis
More information about the samba
mailing list