Firewall-problems for SAMBA...
Hi guys, I have my Linux-PC running Samba-server, which works very fine, but NOT when my firewall is running. I'm getting the following error-message from the firewall when i try to connect to my samba-pc : Jan 13 20:53:38 Linuxserver kernel: SFW2-DROP-BCASTe IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:8b:d3:96:08:00 SRC=192.168.1.104 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=137 DPT=137 LEN=58 i got the following lines in my /etc/sysconfig/ FW_SERVICES_EXT_TCP="5801 5901 http https imap imaps microsoft-ds netbios-dgm netbios-ns netbios-ssn pop3 pop3s rsync smtp ssh 137 138 139 411 445 465 990 1344 5678 5679 7080 7081" FW_SERVICES_EXT_UDP="137 138 139 411 445 465 990 1344 5678 5679 7080 7081 isakmp" Does somebody know what's happening or how to debug this ? Greets, Franky. -- _________________________________________________________ GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Verantwoordelijke MVS Support voor Euroclear Bank Secretaris GSE Z/OS Systems Working Group Privaat doeleinden & GSE Workgroup : Tel. : 32 - (0)3 / 776.65.17 GSM : 32 - (0)473 / 98.90.24 Mail & MSN : franky.goethals@telenet.be http://gsezos.dyns.cx Professionele doeleinden : Tel. Werk : 32 - (0)2 / 224.15.92 Mail werk : goethals_franky@euroclear.com http://www.euroclear.com _________________________________________________________
Franky Goethals wrote:
I'm getting the following error-message from the firewall when i try to connect to my samba-pc :
Jan 13 20:53:38 Linuxserver kernel: SFW2-DROP-BCASTe IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:8b:d3:96:08:00 SRC=192.168.1.104 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=137 DPT=137 LEN=58
Notice, this is dropping the broadcast address, 192.168.1.255. Try checking #22 in /etc/sysconfig/SuSEfirewall2.
i got the following lines in my /etc/sysconfig/
I will assume a typo here.
FW_SERVICES_EXT_TCP="5801 5901 http https imap imaps microsoft-ds netbios-dgm netbios-ns netbios-ssn pop3 pop3s rsync smtp ssh 137 138 139 411 445 465 990 1344 5678 5679 7080 7081"
FW_SERVICES_EXT_UDP="137 138 139 411 445 465 990 1344 5678 5679 7080 7081 isakmp"
Are you sure you want samba (and all the rest of this) open on your external interface? BTW, for samba you only need udp 137 138 and tcp 139 (optionally 445 for w2k & xp).
Does somebody know what's happening or how to debug this ?
It is dropping the broadcast, perhaps to register with the netbios name-server. This should not cause it fail to work. More info is needed of your network topology to really figure this out. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
On Thursday, January 13, 2005 04:57 pm, Joe Morris (NTM) wrote:
Does somebody know what's happening or how to debug this ?
It is dropping the broadcast, perhaps to register with the netbios name-server. This should not cause it fail to work. More info is needed of your network topology to really figure this out.
Joe, In addition to the four ports you mentioned, Samba needs to be able to access the network broadcast address for network browsing, browse elections, etc. to work. The SuSE firewall2 by default blocks these broadcast packets on the external interface. As I posted a few days ago, the following settings using the /etc/sysconfig editor on a single-NIC SuSE 9.2 Pro system enable full Samba functionality: FW_SERVICES_EXT_TCP = microsoft-ds netbios-dgm netbios-ns netbios-ssn FW_SERVICES_EXT_UDP = netbios-dgm netbios-ns FW_ALLOW_INCOMING_HIGHPORTS_TCP = netbios-ns microsoft-ds FW_ALLOW_INCOMING_HIGHPORTS_UDP = netbios-ns microsoft-ds FW_ALLOW_FW_BROADCAST = yes (note that there may be other ports listed as well) You can also use port numbers instead of the service names from /etc/services; the table below will give you the conversions: Service Name Port Number microsoft-ds 445 netbios-dgm 138 netbios-ns 137 netbios-ssn 139 Best regards, Mark -- ___________________________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine LLC "We manage your network so you can manage your business." 477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: http://www.rnome.com
L. Mark Stone wrote:
In addition to the four ports you mentioned, Samba needs to be able to access the network broadcast address for network browsing, browse elections, etc. to work. The SuSE firewall2 by default blocks these broadcast packets on the external interface.
I had mentioned about the broadcast option in /etc/sysconfig/SuSEfirewall2, i.e.
Notice, this is dropping the broadcast address, 192.168.1.255. Try checking #22 in /etc/sysconfig/SuSEfirewall2.
As I posted a few days ago, the following settings using the /etc/sysconfig editor on a single-NIC SuSE 9.2 Pro system enable full Samba functionality:
FW_SERVICES_EXT_TCP = microsoft-ds netbios-dgm netbios-ns netbios-ssn
I prefer port numbers myself, but unless things have changed you do not need tcp 137 and 138 open, only 139 and 445 (and even xp will still work without 445, but MS prefers it to be open).
FW_SERVICES_EXT_UDP = netbios-dgm netbios-ns
correct.
FW_ALLOW_INCOMING_HIGHPORTS_TCP = netbios-ns microsoft-ds FW_ALLOW_INCOMING_HIGHPORTS_UDP = netbios-ns microsoft-ds
137 and 445 are not highports. Highports are >1023.
FW_ALLOW_FW_BROADCAST = yes
This one (#22 in the config file) may be the OP's problem. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
On Friday, January 14, 2005 09:53 am, Joe Morris (NTM) wrote:
FW_ALLOW_INCOMING_HIGHPORTS_TCP = netbios-ns microsoft-ds FW_ALLOW_INCOMING_HIGHPORTS_UDP = netbios-ns microsoft-ds
137 and 445 are not highports. Highports are >1023.
Joe, Unset these two and watch the logs; you'll see why you need to set these. Sorry I missed your comment about allowing broadcasts. Best regards, Mark -- ___________________________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine LLC "We manage your network so you can manage your business." 477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: http://www.rnome.com
participants (3)
-
Franky Goethals -
Joe Morris (NTM) -
L. Mark Stone