[Samba] ,Re: Samba and ufw

L.P.H. van Belle belle at bazuin.nl
Mon Feb 11 10:25:33 UTC 2019


Hi Martin,  

> -----Oorspronkelijk bericht-----
> Van: Martin McGlensey [mailto:mmcg29440 at frontier.com] 
> Verzonden: maandag 11 februari 2019 1:06
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: ,Re: [Samba] Samba and ufw
> 
> Louis,
> 
> Tried the rules you suggested:
> 
> These work. I think that rules out any Windows problems.
> ufw insert 1 allow in on enp2s5 from 192.168.254.15 to 192.168.254.39
> ufw insert 2 allow in on enp2s5 from 192.168.254.39 to 192.168.254.15

If these work, then correct, not a windows OR samba problem thats 100% sure.
Pure firewall problem. 

> 
> These do not work.
> ufw insert 1 allow in on enp2s5 proto tcp from 
> 192.168.254.0/24 to 192.168.254.39 port 139,445
> ufw insert 2 allow in on enp2s5 proto udp from 
> 192.168.254.0/24 to 192.168.254.39 port 137,138

> 
> Adding these does not work as well.
> ufw insert 1 allow in on enp2s5 proto tcp from 
> 192.168.254.0/24 to 192.168.254.39 port 1024:1300,49152:65535
> ufw insert 1 allow in on enp2s5 proto tcp from 192.168.254.39 
> to 192.168.254.0/24  port 1024:1300,49152:65535
> 
> No problem logging on with the firewall disabled or when 
> enabled with the first two rules.

So then theses are the problem for sure. 
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[UFW ALLOW] "

And 

-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit 
--limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 
3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "



> 
> Tried adding port 135 mentioned in an internet search. No change.
> 
> Last part of /var/log/ufw.log:
> ..... (removed)... 
> 
> martin at radio:~$
> 
> Are we missing a port or protocol?

No, somehow your firewall rules dont match up. 

> 
> Regards,
> Marty
> 

I've checked my ubuntu 18.04 server, and 4 debian servers, and non of these have these limit lines shown above. 
I'm really wondering where these are coming from and all my servers run ufw ( none gufw ) 

What i would do no in this case, cleanup and start over, or you keep hitting problems in the future. 

Stop Disable ufw : ufw stop && ufw disable
Remove and purge ufw gufw  : apt-get remove --purge ufw gufw
Check if there are any rules left. : iptables --list-rules 
Reboot 
Check if there are any rules left. : iptables --list-rules 

If some things appear now, then something is loading rules, if thats the case then we need to find that. 
If its clean, you should see only this : 
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Now, install mlocate : apt install mlocate or use find, whatever you preffer. 
Run : updatedb && locate ufw

Find any leftovers of ufw in :

/etc/ufw/ 
/lib/ufw/

When its really clean, install ufw again. 
Only run : 
ufw allow 22 comment "Manual NMBD"
ufw allow 137,138/udp comment "Manual NMBD
ufw allow 139,445/tcp comment "Manual CIFS/SMBD"

Try again. (nmbd) is not really needed, but he, lets fix it, you can disable it later on if needed. 

Not working, what if you add this to /etc/ufw/after.rules 
At the top, after the first filter its commit 

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT

Now we are only talking here about NMBD 137, what is showing blocks in the logs. 
But you dont need 137/138 all get access to the share. 


Last, if you run :  systemctl status firewalld  
Any output? Or firewall-cmd --state ? 

Greetz, 

Louis




More information about the samba mailing list