Re: [opensuse-factory] Samba and SuSEfirewall
On Sunday 11 February 2007 05:46, James Tremblay wrote:
sounds like YAST needs to be modified to modify the firewall automatically when opensuse joins a "workgroup" or Windows "domain".
When you configure the desktop machine as smb client in yast, the firewall on that desktop needs to be appropriately modified to allow the box to be an smb client. If share browsing is a particular security problem, then an extra tickbox for this with a brief notice what it does and how it reduces security would be good.
in defense of the "change the interface" suggestion, most people are behind a firewall on an enterprise network and expect that system to protect them.
For any desktop box on a LAN, changing interface to internal zone is equivalent to uninstalling the firewall on that desktop. This should have been made clear. It's IMHO not a solution, certainly not an acceptable one. Anything else is better than that. Isn't it sufficient for share browsing to open ports 137 to 139 (udp and/or tcp) for smb related traffic? I was under the impression that NFS was *much* more difficult to firewall because ports used are dynamically assigned. Yet in later SUSE versions it works impressively well, it's spot on out of the box. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Il giorno dom, 11/02/2007 alle 09.20 +1300, Volker Kuhlmann ha scritto:
Isn't it sufficient for share browsing to open ports 137 to 139 (udp and/or tcp) for smb related traffic?
You also need port 445 and, unfortunately, to accept packets from a random high port which is dynamically assigned. Regards, Alberto --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Isn't it sufficient for share browsing to open ports 137 to 139 (udp and/or tcp) for smb related traffic?
You also need port 445 and, unfortunately, to accept packets from a random high port which is dynamically assigned.
Thanks. Accept packets on what port from the random high port? udp or tcp? Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Il giorno dom, 11/02/2007 alle 11.00 +1300, Volker Kuhlmann ha scritto:
Isn't it sufficient for share browsing to open ports 137 to 139 (udp and/or tcp) for smb related traffic?
You also need port 445 and, unfortunately, to accept packets from a random high port which is dynamically assigned.
Thanks. Accept packets on what port from the random high port? udp or tcp?
Volker
Both TCP/UDP. At least it's what I do :-) Talking in the chat, benJIman suggested to me to try disabling IPv6 because it lacks of state tracking. Actually it seems to work. Alberto --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (2)
-
Alberto Passalacqua
-
Volker Kuhlmann