[Samba] ,Re: Samba and ufw
Tony Hoover
hoover at ksu.edu
Tue Feb 12 16:19:50 UTC 2019
Microsoft has the necessary ports (TCP and UDP) spelled out at: https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
Scroll down for the Windows Server 2008, 2012, 2012R2 section.
But basically, you're missing NTP, Kerberos, LDAP, and DNS on your firewall rules.
--
--- Protect personal information. The identity saved could be your own.
Tony Hoover
Kansas State University, Polytechnic campus
hoover at k-state.edu<mailto:hoover at k-state.edu>
ph: 785 826 2660
zoom: 785 826 2660
On Sun, 2019-02-10 at 19:06 -0500, Martin McGlensey via samba wrote:
Louis,
Tried the rules you suggested:
These work. I think that rules out any Windows problems.
ufw insert 1 allow in on enp2s5 from 192.168.254.15 to 192.168.254.39
ufw insert 2 allow in on enp2s5 from 192.168.254.39 to 192.168.254.15
These do not work.
ufw insert 1 allow in on enp2s5 proto tcp from 192.168.254.0/24 to 192.168.254.39 port 139,445
ufw insert 2 allow in on enp2s5 proto udp from 192.168.254.0/24 to 192.168.254.39 port 137,138
Adding these does not work as well.
ufw insert 1 allow in on enp2s5 proto tcp from 192.168.254.0/24 to 192.168.254.39 port 1024:1300,49152:65535
ufw insert 1 allow in on enp2s5 proto tcp from 192.168.254.39 to 192.168.254.0/24 port 1024:1300,49152:65535
No problem logging on with the firewall disabled or when enabled with the first two rules.
Tried adding port 135 mentioned in an internet search. No change.
Last part of /var/log/ufw.log:
martin at radio:~$ tail -n 30 /var/log/ufw.log
Feb 10 16:30:48 radio kernel: [ 3796.910381] [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=224.0.0.251 LEN=167 TOS=0x00 PREC=0x00 TTL=255 ID=58501 DF PROTO=UDP SPT=5353 DPT=5353 LEN=147
Feb 10 16:32:14 radio kernel: [ 3882.641181] [UFW AUDIT] IN=enp2s5 OUT= MAC=ff:ff:ff:ff:ff:ff:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=32676 PROTO=UDP SPT=138 DPT=138 LEN=215
Feb 10 16:32:36 radio kernel: [ 3904.825197] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45827 DF PROTO=UDP SPT=54662 DPT=137 LEN=58
Feb 10 16:32:36 radio kernel: [ 3904.825208] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45827 DF PROTO=UDP SPT=54662 DPT=137 LEN=58
Feb 10 16:32:36 radio kernel: [ 3904.825234] [UFW AUDIT] IN=enp2s5 OUT= MAC= SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45827 DF PROTO=UDP SPT=54662 DPT=137 LEN=58
Feb 10 16:32:36 radio kernel: [ 3904.825833] [UFW AUDIT] IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27398 PROTO=UDP SPT=137 DPT=54662 LEN=70
Feb 10 16:32:36 radio kernel: [ 3904.825853] [UFW BLOCK] IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27398 PROTO=UDP SPT=137 DPT=54662 LEN=70
Feb 10 16:32:37 radio kernel: [ 3905.826375] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45984 DF PROTO=UDP SPT=48574 DPT=137 LEN=58
Feb 10 16:32:37 radio kernel: [ 3905.826387] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45984 DF PROTO=UDP SPT=48574 DPT=137 LEN=58
Feb 10 16:32:37 radio kernel: [ 3905.826411] [UFW AUDIT] IN=enp2s5 OUT= MAC= SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=45984 DF PROTO=UDP SPT=48574 DPT=137 LEN=58
Feb 10 16:32:37 radio kernel: [ 3905.826922] [UFW AUDIT] IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27401 PROTO=UDP SPT=137 DPT=48574 LEN=70
Feb 10 16:32:37 radio kernel: [ 3905.826936] [UFW BLOCK] IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=27401 PROTO=UDP SPT=137 DPT=48574 LEN=70
Feb 10 16:32:38 radio kernel: [ 3906.828475] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=46172 DF PROTO=UDP SPT=60219 DPT=137 LEN=58
Feb 10 16:32:38 radio kernel: [ 3906.828485] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=46172 DF PROTO=UDP SPT=60219 DPT=137 LEN=58
Feb 10 16:32:38 radio kernel: [ 3906.828511] [UFW AUDIT] IN=enp2s5 OUT= MAC= SRC=192.168.254.39 DST=192.168.254.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=46172 DF PROTO=UDP SPT=60219 DPT=137 LEN=58
Feb 10 16:33:07 radio kernel: [ 3936.009704] [UFW AUDIT] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.53 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=17405 DF PROTO=UDP SPT=49701 DPT=53 LEN=55
Feb 10 16:33:07 radio kernel: [ 3936.009741] [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=17405 DF PROTO=UDP SPT=49701 DPT=53 LEN=55
Feb 10 16:33:07 radio kernel: [ 3936.009782] [UFW AUDIT] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.53 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=17406 DF PROTO=UDP SPT=49701 DPT=53 LEN=55
Feb 10 16:33:07 radio kernel: [ 3936.009795] [UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.53 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=17406 DF PROTO=UDP SPT=49701 DPT=53 LEN=55
Feb 10 16:33:07 radio kernel: [ 3936.010381] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.254 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=50514 DF PROTO=UDP SPT=43870 DPT=53 LEN=55
Feb 10 16:33:07 radio kernel: [ 3936.010390] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.254 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=50514 DF PROTO=UDP SPT=43870 DPT=53 LEN=55
Feb 10 16:33:08 radio kernel: [ 3937.010667] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=35.222.85.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33228 DF PROTO=TCP SPT=40360 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Feb 10 16:33:08 radio kernel: [ 3937.010678] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=35.222.85.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33228 DF PROTO=TCP SPT=40360 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Feb 10 16:34:23 radio kernel: [ 4012.052235] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=257 TOS=0x00 PREC=0x00 TTL=64 ID=52310 DF PROTO=UDP SPT=138 DPT=138 LEN=237
Feb 10 16:34:23 radio kernel: [ 4012.052245] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=257 TOS=0x00 PREC=0x00 TTL=64 ID=52310 DF PROTO=UDP SPT=138 DPT=138 LEN=237
Feb 10 16:34:23 radio kernel: [ 4012.052263] [UFW AUDIT] IN=enp2s5 OUT= MAC= SRC=192.168.254.39 DST=192.168.254.255 LEN=257 TOS=0x00 PREC=0x00 TTL=64 ID=52310 DF PROTO=UDP SPT=138 DPT=138 LEN=237
Feb 10 16:34:23 radio kernel: [ 4012.052308] [UFW AUDIT] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=52311 DF PROTO=UDP SPT=138 DPT=138 LEN=215
Feb 10 16:34:23 radio kernel: [ 4012.052313] [UFW ALLOW] IN= OUT=enp2s5 SRC=192.168.254.39 DST=192.168.254.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=52311 DF PROTO=UDP SPT=138 DPT=138 LEN=215
Feb 10 16:34:23 radio kernel: [ 4012.052331] [UFW AUDIT] IN=enp2s5 OUT= MAC= SRC=192.168.254.39 DST=192.168.254.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=52311 DF PROTO=UDP SPT=138 DPT=138 LEN=215
Feb 10 16:34:29 radio kernel: [ 4017.705758] [UFW AUDIT] IN=enp2s5 OUT= MAC=ff:ff:ff:ff:ff:ff:74:27:ea:ab:1e:e0:08:00 SRC=192.168.254.15 DST=192.168.254.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=32698 PROTO=UDP SPT=138 DPT=138 LEN=215
martin at radio:~$
Are we missing a port or protocol?
Regards,
Marty
More information about the samba
mailing list