[Samba] Samba and UFW

L.P.H. van Belle belle at bazuin.nl
Tue Jan 29 16:32:42 UTC 2019 


You only need this : ( change to your needs ) 
ufw allow in proto tcp from 192.168.0.0/24 to any port 139,445 comment 'Allow in port 139,445 (CIFS)'  

I suggest, 

First check : 
cat /etc/default/ufw 

Check if this line is there and this modules is enabled.
IPT_MODULES="nf_conntrack_netbios_ns"

Then 

ufw disable 
ufw reset
ufw limit 22

# adjust this line to you needs. 
ufw allow in proto tcp from 192.168.0.0/24 to any port 139,445 comment 'Allow in port 139,445 (CIFS)'  

#Or with network interaface names: 
ufw allow in on eth0 proto tcp from 192.168.0.0/24 to any port 139,445 comment 'Allow in on eth0 port 139,445 (CIFS)'

Or run iptables -S and show the output. 

Last, can you shown the output of : 
for x in $(rgrep -i samba /etc/ufw/* | cut -d":" -f1) ; do cat $x ; done

Then i can see if something is wrong in the application profiles. 
I grep on samba since is saw you enabled a "(Samba)"  profile.


##########
# A full set for a closed setup. ( nothing in/out ) compatible with older samba version. 
# a "allow out" firewall, only needs the IN lines. 
# 192.168.0.1 and 192.168.0.2 are the DC's .

# (IN) FROM ADDC'S 
ufw allow in proto tcp from 192.168.0.1 port 389,1024:65535 to any port 1024:65535
ufw allow in proto tcp from 192.168.0.2 port 389,1024:65535 to any port 1024:65535

# (OUT) TO ADDC'S 
# DC1
ufw allow out proto udp from any port 1024:65535 to 192.168.0.1 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.0.1 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.0.1 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.0.1 port 53,88,123,389,464,1024:65535
# DC1 
ufw allow out proto udp from any port 1024:65535 to 192.168.0.2 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.0.2 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.0.2 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.0.2 port 53,88,123,389,464,1024:65535

# (IN) MEMBER 
# TO THIS MEMBER SERVER (with shares) 
ufw allow in on eno1 proto tcp from 192.168.249.0/24 to any port 139,445 comment 'Allow in on eno1 port 139,445 (CIFS smbd)'
#ufw allow in on eno1 proto udp from 192.168.249.0/24 to any port 137,138 comment 'Allow in on eno1 port 137,138 (BROWSER nmbd)'  << i dont use this one. 
##########


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Reindl Harald via samba
> Verzonden: dinsdag 29 januari 2019 16:44
> Aan: mmcg29440 at frontier.com; samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and UFW
> 
> 
> 
> Am 29.01.19 um 16:39 schrieb Marty via samba:
> > Here is the ufw.log after enabling logging medium and 
> trying to connect to
> > the windows net. Unfortunately the web Microsoft page is in 
> German. I think
> > it says window uses smb1 syntax.
> > 
> > Jan 27 15:11:09 martin-RB042AV-ABA-a1410y kernel: [  
> 887.241685] [UFW BLOCK]
> > IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00
> > SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 
> PREC=0x00 TTL=128
> > ID=10646 PROTO=UDP SPT=137 DPT=52944 LEN=70 
> > 
> > Jan 27 15:11:21 martin-RB042AV-ABA-a1410y kernel: [  
> 899.315443] [UFW BLOCK]
> > IN=enp2s5 OUT= MAC=00:19:21:a2:11:5e:74:27:ea:ab:1e:e0:08:00
> > SRC=192.168.254.15 DST=192.168.254.39 LEN=90 TOS=0x00 
> PREC=0x00 TTL=128
> > ID=10652 PROTO=UDP SPT=137 DPT=58971 LEN=70 
> given that the source port is always 137 and the destijnation port
> random it looks like your firewall just hasn't proper connection
> tracking to allow repsonse packets aka RELATED,ESTABLISHED
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list