Mailinglist Archive: opensuse (2803 mails)
| < Previous | Next > |
Re: [opensuse] Firewall & UDP [ERRATA]
- From: Rui Santos <rsantos@xxxxxxxxxxxxx>
- Date: Fri, 11 Jul 2008 14:23:36 +0100
- Message-id: <48775ED8.6030300@xxxxxxxxxxxxx>
Rui Santos wrote:
It should be port 137 instead of 127. Bad typo... sorry...
--
Rui Santos
http://www.ruisantos.com/
Veni, vidi, Linux!
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Koenraad Lelong wrote:
Rui Santos schreef:Great... That was I have anticipated on my first email...
Koenraad Lelong wrote:
Rui Santos schreef:This is also what I stated. What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in the firewall log as STP.
Koenraad Lelong wrote:...
Hi,
Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped.
So, you have to look in your firewall log for something like SRC=<samba-server IP> PROTO=UDP SPT=<specific port>
Jul 9 15:21:06 lace3 kernel: SFW2-INint-DROP-DEFLT IN=bond0 OUT= MAC=00:1e:0b:bd:d3:62:00:0f:3d:f3:09:dd:08:00 SRC=192.168.0.4 DST=192.168.0.5 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1220 LEN=70
That's what I checked. SRC=samba-server DST=squid.
Now you have two options:
1) Use Yast -> Security and Users -> Firewall -> Custom Rules -> Firewall Zone: Internal -> Add a souce 192.168.0.4 with UDP protocol with source port 137.
2) Place
FW_SERVICES_ACCEPT_INT="192.168.0.4,udp,,137"
onto /etc/sysconfig/SuSEfirewall2 and restart your SuSE firewall with
rcSuSEfirewall2 restart
It should be port 137 instead of 127. Bad typo... sorry...
Hope it helps...
Rui
If you still cannot advance, please continue with showing the firewall log file. There has to be a solution...
I'll have to check how I can make such a custom rule. Never done this before.
Thanks.
--
Rui Santos
http://www.ruisantos.com/
Veni, vidi, Linux!
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |