When setting samba=yes in firewall.rc.config, udp-port 137:138 is open for the whole world. I want to close these ports. But when i set samba to "no" and opening the tcp and upd ports for samba only for my internal network, it doesn't work. Need help.
i think tcp is missing for data-copying IPCHAINS -A input -j "$ACCEPT" -p TCP -d 0/0 137:138 $LAA
----- Original Message ----- From: office To: suse-security@suse.de Sent: Tuesday, April 17, 2001 12:03 PM Subject: [suse-security] samba on firewall Hello list! Why does samba on the firewall don't work whitout this rule??? IPCHAINS -A input -j "$ACCEPT" -p udp -d 0/0 137:138 $LAA When appending this rule, everybody can send UPD packets to 137:138. I've tried to open tcp 135:139 and udp 135:139 only for internal network but it doesn't work...clients cant use samba any hints? yours B
When setting samba=yes in firewall.rc.config, udp-port 137:138 is open for the whole world. I want to close these ports. But when i set samba to "no" and opening the tcp and upd ports for samba only for my internal network, it doesn't work. you can configure samba to listen only on the internal interface. Another thing is, that you need port 139 (tcp+udp ?), too.
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Tue, Apr 17, 2001 at 13:00 +0200, Markus Gaugusch wrote:
you can configure samba to listen only on the internal interface.
Oh? How so? Not to sound too stupid: I'm well aware of the "interfaces" and "bind interfaces only" settings in /etc/smb.conf. But in my experience Samba doesn't care about the administrator's wishes in this very respect. By no means could I get it to stop listenling on "*". And yes, I'm sick of Samba needing "localhost" and "127.0.0.1" for no valid / plausible(id?) reasons. There's too much of implicit thinking in the design and concept, sold as "features" for the administrators "simply expecting the software to run without any further and most of all consistent configuration" ... BTW: no, I wouldn't run Samba on a router / filtering machine nor would I try to do Samba with external partners without some tunnel. So I don't want to support the original question. :) Instead I would suggest a different mechanism. Unless this is some internal router between in house departments, but why would it filter at all when leaving wholes for Samba? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Tue, Apr 17, 2001 at 13:00 +0200, Markus Gaugusch wrote:
you can configure samba to listen only on the internal interface.
Oh? How so?
if i am not mistaken, there is a setting in smb.conf to do so: hosts allow = x.x.x.x/x in the same format as the "interfaces" setting, however, in this case, it is restricting what hosts are allowed to connect to it. with this, one should be able to restrict connections to those originating from systems in one's local network, if so desired. patrick h.
On Tue, Apr 17, 2001 at 13:00 +0200, Markus Gaugusch wrote:
you can configure samba to listen only on the internal interface.
Oh? How so?
if i am not mistaken, there is a setting in smb.conf to do so:
hosts allow = x.x.x.x/x
This has nothing to do with configuring samba to listen on internal interfaces only. This just limits which hosts can connect. Man smb.conf gives a very large but useful collection of information: in smb.conf put interfaces = your.internal.ip.no/your.internal.net.mask (e.g. 192.168.1.1/255.255.255.0 or 192.168.1.1/24) bind interfaces only this will cause smbd to listen only on your internal interface. Nmbd will bind on your internal interface and 0.0.0.0 (to listen for broadcasts), but will only serve requests from the same broadcast domain as your internal interface. Further you only need to allow FW_SERVICES_INTERNAL_TCP = 139 and FW_SERVICES_INTERNAL_UDP = 137:138, you don't need to use FW_SERVICE_SAMBA
in the same format as the "interfaces" setting, however, in this case, it is restricting what hosts are allowed to connect to it. with this, one should be able to restrict connections to those originating from systems in one's local network, if so desired.
hth Stefan
On Wed, Apr 18, 2001 at 15:56 +0200, Stefan Suurmeijer wrote:
On Tue, Apr 17, 2001 at 13:00 +0200, Markus Gaugusch wrote:
you can configure samba to listen only on the internal interface.
[ ... snip ... ]
Man smb.conf gives a very large but useful collection of information: in smb.conf put
interfaces = your.internal.ip.no/your.internal.net.mask (e.g. 192.168.1.1/255.255.255.0 or 192.168.1.1/24) bind interfaces only
this will cause smbd to listen only on your internal interface.
That's what made me write "I'm aware of these settings". :) But I always experienced netstat results like this: $ netstt -an | grep :13 tcp 0 0 192.168.11.129:139 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:* udp 0 0 192.168.11.129:137 0.0.0.0:* udp 0 0 192.168.11.129:138 0.0.0.0:* Which I couldn't explain since I specifically told smbd to use the NIF address only. And I understood that nmbd would read and use the same config file.
Nmbd will bind on your internal interface and 0.0.0.0 (to listen for broadcasts), [ ... ]
That's the background I missed all the time! Thank you for making this clear. I almost guess one should stick the Message-ID somewhere since by next week (at maximum) the question will rise again about Samba ... :> OT: Is there some place I can read more about the SMB protocol and its NetBEUI transport? AFAIR RFC1001 and RFC1002 are specific to NBT. Searching for libsmb seems to give no (alive) hits. And everybody's talking about the original IBM TechRef which appeared in several editions in the early eighties, but I couldn't get my hands on a copy. Should I UTSL of smb-tcpdump or some related programs? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
What you'll want to do is only open it up for your internal interface, and not to the world. You'll want to add something like this in: ipchains -A input -p tcp -s <localnet> -d <int-if-ip> 137:139 -i <int-if> -j ACCEPT ipchains -A input -p udp -s <localnet> -d <int-if-ip> 137:139 -i <int-if> -j ACCEPT Where <localnet> would look something like '192.168.0.0/24' Where <int-if-ip> would be the internal ip of the firewall, such as '192.168.0.1/32' Where <int-if> is the internal interface, such as 'eth1' HTH, Some guy working for some ISP. "Failure is not an option, it comes pre-installed with your Windoze software..." -Unknown "He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you." -Friedrich Nietzsche -----Original Message----- From: office [mailto:office@tride.net] Sent: Tuesday, April 17, 2001 3:58 AM To: suse-security@suse.com Subject: [suse-security] Re: samba on firewall When setting samba=yes in firewall.rc.config, udp-port 137:138 is open for the whole world. I want to close these ports. But when i set samba to "no" and opening the tcp and upd ports for samba only for my internal network, it doesn't work. Need help.
i think tcp is missing for data-copying IPCHAINS -A input -j "$ACCEPT" -p TCP -d 0/0 137:138 $LAA
----- Original Message ----- From: office To: suse-security@suse.de Sent: Tuesday, April 17, 2001 12:03 PM Subject: [suse-security] samba on firewall Hello list! Why does samba on the firewall don't work whitout this rule??? IPCHAINS -A input -j "$ACCEPT" -p udp -d 0/0 137:138 $LAA When appending this rule, everybody can send UPD packets to 137:138. I've tried to open tcp 135:139 and udp 135:139 only for internal network but it doesn't work...clients cant use samba any hints? yours B
participants (6)
-
Gerhard Sittig -
Magus Ba'al -
Markus Gaugusch -
office -
patrick hurley -
Stefan Suurmeijer