[opensuse-factory] Samba and SuSEfirewall
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved. https://bugzilla.novell.com/show_bug.cgi?id=243809 It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool. Regards, A.P. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thu, Feb 08, 2007 at 10:25:23PM +0100, Alberto Passalacqua wrote:
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved.
https://bugzilla.novell.com/show_bug.cgi?id=243809
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool.
Just put the respective network interface into the Internal Zone, it has all ports opened by default. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thu, 2007-02-08 at 22:35 +0100, Marcus Meissner wrote:
On Thu, Feb 08, 2007 at 10:25:23PM +0100, Alberto Passalacqua wrote:
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved.
https://bugzilla.novell.com/show_bug.cgi?id=243809
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool.
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
This isn't very intuitive for most users. Better would be to finish the
packages-can-open-ports bug and the
samba-needs-a-narrower-range-of-ports bug. Might also be an idea to
trigger the firewall changes for nautilus and konqueror.
-JP
--
JP Rosevear
line 432
TESTCD=$(echo ${CD_LINE}|awk '{print $6}') # the mount point where the $CD_DIR will reside
FREE_CD=$(echo ${CD_LINE}|awk '{print $4}') # the free space on the mount point for $CD_DIR
TESTDVD=$(echo ${DVD_LINE}|awk '{print $6}') # the mount point where the $DVD_DIR will reside
FREE_DVD=$(echo ${DVD_LINE}|awk '{print $4}') # the free space on the mount point for $DVD_DIR
should be:
FREE_CD=$(echo ${CD_LINE}|awk '{print $(NF-2)}')
otherwise it will not be error when "df" show the following result:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/system-suse10
15728156 13381848 2346308 86% /
----- Original Message -----
From: "JP Rosevear"
On Thu, 2007-02-08 at 22:35 +0100, Marcus Meissner wrote:
On Thu, Feb 08, 2007 at 10:25:23PM +0100, Alberto Passalacqua wrote:
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved.
https://bugzilla.novell.com/show_bug.cgi?id=243809
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool.
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
This isn't very intuitive for most users. Better would be to finish the packages-can-open-ports bug and the samba-needs-a-narrower-range-of-ports bug. Might also be an idea to trigger the firewall changes for nautilus and konqueror.
-JP -- JP Rosevear
Novell, Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Please: to start a new thread, do not reply to a current thread. On 2007-02-09 03:56, James Li wrote:
otherwise it will not be error when "df" show the following result:
Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/system-suse10 15728156 13381848 2346308 86% /
Problems parsing multilined df output can be solved by using the -P --portability option of df. Kevin --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JP Rosevear schreef:
On Thu, 2007-02-08 at 22:35 +0100, Marcus Meissner wrote:
On Thu, Feb 08, 2007 at 10:25:23PM +0100, Alberto Passalacqua wrote:
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved.
https://bugzilla.novell.com/show_bug.cgi?id=243809
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool. Just put the respective network interface into the Internal Zone, it has all ports opened by default.
This isn't very intuitive for most users. Better would be to finish the packages-can-open-ports bug and the samba-needs-a-narrower-range-of-ports bug. Might also be an idea to trigger the firewall changes for nautilus and konqueror.
-JP
The problem is, that all the shares are visible, when added to the internal zone, but the passwords do not get accepted. No matter what you do, no password, will ever give acces to the suse-shares.. No password, will tell you: the folder does not exist.. - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzE8CX5/X5X6LpDgRAlVgAJ9ZWBX+2zuPAmwMWlIzg+XSiSSxnQCfZ+0t 1xcxfPZw57QkWqXs77NIq3g= =/KdW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M9. schreef:
JP Rosevear schreef:
On Thu, Feb 08, 2007 at 10:25:23PM +0100, Alberto Passalacqua wrote:
Thinking to possible improvements for 10.3, I thought it would be nice to have this bug solved.
https://bugzilla.novell.com/show_bug.cgi?id=243809
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool. Just put the respective network interface into the Internal Zone, it has all ports opened by default. This isn't very intuitive for most users. Better would be to finish the
On Thu, 2007-02-08 at 22:35 +0100, Marcus Meissner wrote: packages-can-open-ports bug and the samba-needs-a-narrower-range-of-ports bug. Might also be an idea to trigger the firewall changes for nautilus and konqueror.
-JP
The problem is, that all the shares are visible, when added to the internal zone, but the passwords do not get accepted. No matter what you do, no password, will ever give acces to the suse-shares.. No password, will tell you: the folder does not exist..
Sorry, after some reconfig, the data resetted. - From shared source, it went to owner again (automaticly) But when guestlogon permitted, the shares are accessible.. :-) - --------------------------------------------------------------------- - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzFGjX5/X5X6LpDgRAkdkAJ9wsG0ZYtF4UTqWDsKMkk9z0A4bmgCglbUM dhG4VRIoq0cn/gUFZabbxDU= =Rz4w -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Il giorno gio, 08/02/2007 alle 22.35 +0100, Marcus Meissner ha scritto:
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
I don't think this is a real solution. Many users have one network card only, which means they would have all ports opened. Probably a samba specific setting of the firewall, activated by the Yast samba module, would be better. Regards, Alberto --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thu, Feb 08, 2007 at 11:38:21PM +0100, Alberto Passalacqua wrote:
Il giorno gio, 08/02/2007 alle 22.35 +0100, Marcus Meissner ha scritto:
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
I don't think this is a real solution. Many users have one network card only, which means they would have all ports opened.
Probably a samba specific setting of the firewall, activated by the Yast samba module, would be better.
It currently would need to open the firewall fully to actual work in this case, because the broadcast sending port cannot be determined before hand. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Just to conclude, the bug is (not) fixed (and won't be): https://bugzilla.novell.com/show_bug.cgi?id=243809 When Novell will stop giving non-answers it will be a nice day. Thanks and regards --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Feb 09, 2007 at 02:04:02PM +0100, Alberto Passalacqua wrote:
Just to conclude, the bug is (not) fixed (and won't be):
https://bugzilla.novell.com/show_bug.cgi?id=243809
When Novell will stop giving non-answers it will be a nice day.
The rule quoted there effectively opens your whole firewall. What is the point? Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 09-02-2007 at 15:08, Marcus Meissner
wrote: On Fri, Feb 09, 2007 at 02:04:02PM +0100, Alberto Passalacqua wrote: Just to conclude, the bug is (not) fixed (and won't be): https://bugzilla.novell.com/show_bug.cgi?id=243809
When Novell will stop giving non-answers it will be a nice day.
The rule quoted there effectively opens your whole firewall.
What is the point?
Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.or
I think for that issue it would be nice to have Network Manager extended. +: having different RuleSets of Ports being allowed and disallowed. I could bind them to the SSID of a WLAN for example. Of course much more difficult to distinguish between different wired networks. Mazbe a similiar tool to NM just for the FW? Sitting in the tray and showing different Firewall Rulesets? There are other use cases with similiar problems like this. Samba is one tool creating a BroadCast to find some services; Frozen Bubble for example goes the same direction if you want to create a LAN Play. Users have to fiddle with their FireWall configurations (or shut it down). So I think there MIG+HT be some additional work required... most likely nothing trivial to not open na huge whole. Dominique --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus Meissner schreef:
On Fri, Feb 09, 2007 at 02:04:02PM +0100, Alberto Passalacqua wrote:
Just to conclude, the bug is (not) fixed (and won't be):
https://bugzilla.novell.com/show_bug.cgi?id=243809
When Novell will stop giving non-answers it will be a nice day.
The rule quoted there effectively opens your whole firewall.
What is the point?
Ciao, Marcus
This solution works. I have not been able to browse the network on a normal way since 10.0. With the interface like you said: >>put the respective network interface into the Internal Zone,
it has all ports opened by default. This is possibly not the most elegant solution, but I thank you very much for this realy simple workaround. ;-) Just had to put options to owner, and guestlogin permitted, to get rid of the loginmanager, which did not get me anywhere.
But now my 'home' (4 laptops and 2 desktops) is united again! Thnx alot ! - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzIAZX5/X5X6LpDgRAlTeAJ0RqSCbx3UP8LuXzUntiISPGdwYFgCfR6ET c8bmh2/wbiy3ZPVTn2ZB2dE= =hD5f -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 09-02-2007 at 16:07, "M9."
wrote: I have not been able to browse the network on a normal way since 10.0. With the interface like you said: >>put the respective network interface into the Internal Zone, it has all ports opened by default. This is possibly not the most elegant solution, but I thank you very much for this realy simple workaround. ;-) Just had to put options to owner, and guestlogin permitted, to get rid of the loginmanager, which did not get me anywhere.
I think with that setup you can as well also just disable the Firewall, if you don't have more than one interface. For home usage, this might even be a valid use case, in case you trust your DSL-Router, which most likely already NAT's you to the Internet. Dominique --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominique Leuenberger schreef:
On 09-02-2007 at 16:07, "M9."
wrote: I have not been able to browse the network on a normal way since 10.0. With the interface like you said: put the respective network interface into the Internal Zone, it has all ports opened by default. This is possibly not the most elegant solution, but I thank you very much for this realy simple workaround. ;-) Just had to put options to owner, and guestlogin permitted, to get rid of the loginmanager, which did not get me anywhere. I think with that setup you can as well also just disable the Firewall, if you don't have more than one interface.
For home usage, this might even be a valid use case, in case you trust your DSL-Router, which most likely already NAT's you to the Internet.
Dominique
Yep, i will just use the Router firewall again... ;-( I just do not understand, why an essential part, as a firewall, can not be adjusted from the systemtray.... It should warn me when unknown enterings are at hand, so i can permit or decline entrance, for once, or enduring.... I do not know if it should be a part of another app, such as a NetwMngr.. I would rather have a seperate app, which shows me my ports and traffic, and permitted apps and hosts..... - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzITcX5/X5X6LpDgRArEZAKDVEj4IV7saDxtzcUnJwGfXeNi0zACdGrFZ 3YaIm/4Wm66KRZ9F5uMfzRU= =HxUA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
If you don't want to disable the firewall for ports lower than 1024, you could add the line I posted to the susefirewall configuration or using Yast -> System -> /etc/sysconfig editor The line is: FW_SERVICES_ACCEPT_EXT="0/0,tcp,1024:65535,137:139 0/0,udp,1024:65535,137:139" I'm using it with NM too on my laptop and it works. Of course not the best of security, but still better than having a disabled firewall at all :-) Regards, Alberto
This solution works.
I have not been able to browse the network on a normal way since 10.0. With the interface like you said: >>put the respective network interface into the Internal Zone,
it has all ports opened by default. This is possibly not the most elegant solution, but I thank you very much for this realy simple workaround. ;-) Just had to put options to owner, and guestlogin permitted, to get rid of the loginmanager, which did not get me anywhere.
But now my 'home' (4 laptops and 2 desktops) is united again!
Thnx alot !
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alberto Passalacqua schreef:
If you don't want to disable the firewall for ports lower than 1024, you could add the line I posted to the susefirewall configuration or using Yast -> System -> /etc/sysconfig editor
The line is:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,1024:65535,137:139 0/0,udp,1024:65535,137:139"
I'm using it with NM too on my laptop and it works. Of course not the best of security, but still better than having a disabled firewall at all :-)
Regards, Alberto
I will watch the 'danger', and if too big, make such adjustments... I do not understand why the logon does not work, if it did, there was not a real problem. Somehow the passwords you enter are never right, why is that? - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzJRqX5/X5X6LpDgRApvUAKCYQpWkropsLpJXgvP0axQTM2qG0wCbBJyI zrdR+LRO3Z/8+JCVidAyEI4= =LWCA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool.
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
You can't be serious with that suggestion. Most computers have one network interface, so it's equivalent to "uninstall SuSEfirewall". The "internal" and "DMZ" interfaces are only useful when the box is a router, otherwise all interfaces are "external". Fix yast to open appropriate ports in the firewall config, as happens for any other service as well. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Volker Kuhlmann schreef:
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool. Just put the respective network interface into the Internal Zone, it has all ports opened by default.
You can't be serious with that suggestion. Most computers have one network interface, so it's equivalent to "uninstall SuSEfirewall". The "internal" and "DMZ" interfaces are only useful when the box is a router, otherwise all interfaces are "external". Fix yast to open appropriate ports in the firewall config, as happens for any other service as well.
Volker
I did not encounter 'real' attacks yet, but I also agree that this should be fixed properly: Why does the firewall not respond to the usernames and passwords? If it would, there would be no problem at all. Normally one should be able to verify, and get access.. - -- Have a nice day, M9. Now, is the only time that exists. OS: Linux 2.6.18.2-34-default x86_64 Huidige gebruiker: monkey9@tribal-sfn2 Systeem: openSUSE 10.2 (X86-64) KDE: 3.5.5 "release 45" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFzZU+X5/X5X6LpDgRAqbiAJ9gngFiEYzSFKz/4XoGvTGeMWNfrQCeNXSt 1GMAcwp+oODxqFvg2gTF5LI= =C8uw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Samstag, 10. Februar 2007 04:27 schrieb Volker Kuhlmann:
It worked in 9.3 (if I remember right), and it's actually an obstacle for new users who try to configure samba, do that properly in Yast, but can't browse the local network even after selecting "Open firewall ports" in the Samba server yast tool.
Just put the respective network interface into the Internal Zone, it has all ports opened by default.
You can't be serious with that suggestion. Most computers have one network interface, so it's equivalent to "uninstall SuSEfirewall". The "internal" and "DMZ" interfaces are only useful when the box is a router, otherwise all interfaces are "external". Fix yast to open appropriate ports in the firewall config, as happens for any other service as well.
Ok, let's repeat the whole thing again. ;-)
Yes, putting the network interface into the Internal Zone basically means you
switch of your firewall. But if we had a firewall rule that just opened all
the ports we'd need to open to get SMB share browsing to work the effect
would be nearly the same.
It's as simple as that: Firewall on: No share browsing; firewall off: share
browsing works, but less security.
The only secure solution would be an "intelligent" firewall, something similar
to the "personal firewalls" on Windows. This is a long-term project, not
something we can change in the current SuSEfirewall by just adding
appropriate Samba rules.
Cheers
Joachim
--
Joachim Werner
participants (9)
-
Alberto Passalacqua
-
Dominique Leuenberger
-
James Li
-
Joachim Werner
-
JP Rosevear
-
Kevin Ivory
-
M9.
-
Marcus Meissner
-
Volker Kuhlmann