Can you give us a closer look to your rules concerning port 135:139 than your overview? Maybe something is missing there. Is logging enabled on your firewall? And if: Can you give us a look on the rejected packets when you're trying to connect with a samba client?
Regards
Ralf
the only DENY looks like this: Packet log: input DENY eth1 PROTO=17 200.1.1.1:138 200.1.1.255:138 L=241 S=0x00 I=0 F=0x4000 T=64 (#6) 200.1.1.1 is my samba-host. There are no denys from one of the clients ip's. First rule: ACCEPT udp ------ 200.1.1.0/24 200.1.1.1 * -> 137:139 and ACCEPT udp ------ 0.0.0.0/0 200.1.1.1 * -> 135:139 and ACCEPT tcp -y--l- 0.0.0.0/0 200.1.1.1 * -> 135:139 doesn't work... only when adding this rule: ACCEPT udp ---- 0.0.0.0/0 0.0.0.0/0 *->137:139 everythink works but udp port 137:139 is open for world! anybody need more information?
Correct me if I'm wrong, but don't you need the broadcast address 200.1.1.255 for the udp ports? Try opening up only this address for port 137 and 138 and everything should work. (Not tested, actually I'm out of reach of a system to test it.) HTH Ralf
Can you give us a closer look to your rules concerning port 135:139 than your overview? Maybe something is missing there. Is logging enabled on your firewall? And if: Can you give us a look on the rejected packets when you're trying to connect with a samba client?
Regards
Ralf
the only DENY looks like this:
Packet log: input DENY eth1 PROTO=17 200.1.1.1:138 200.1.1.255:138 L=241 S=0x00 I=0 F=0x4000 T=64 (#6)
200.1.1.1 is my samba-host. There are no denys from one of the clients ip's.
First rule: ACCEPT udp ------ 200.1.1.0/24 200.1.1.1 * -> 137:139 and ACCEPT udp ------ 0.0.0.0/0 200.1.1.1 * -> 135:139 and ACCEPT tcp -y--l- 0.0.0.0/0 200.1.1.1 * -> 135:139
doesn't work...
only when adding this rule: ACCEPT udp ---- 0.0.0.0/0 0.0.0.0/0 *->137:139 everythink works but udp port 137:139 is open for world!
anybody need more information?
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- Windows-Error: Mouse not found - A mouse driver hasn't been installed. Please click the left mouse button to continue.
On Tue, Apr 17, 2001 at 14:08 +0100, Ralf Koch wrote:
Correct me if I'm wrong, but don't you need the broadcast address 200.1.1.255 for the udp ports?
Only if you facilitate bcast announcements. You better use a WINS server (in any LAN). And I'm not sure if there's any point in pushing broadcasts over routers (isn't it contrary to their design?). Proxy ARP might be an exception, but I consider it a hack. :)
Windows-Error: Mouse not found - A mouse driver hasn't been installed. Please click the left mouse button to continue.
OT: How is this a joke when BIOSes tell you to "press F1" when there's a keyboard error? :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
According to his DENY logging, I assumed he started samba with "wins support = yes". As I understood his network topology, he (or she? Don't know what B and office stand for) runs a small network with only one server inside - the samba-firewall-wins-andevenmore server. BTW: What is so awfull in running samba on the one and only server in a small network with a dial-up connection to the internet, wherein this server acts as a firewall too? Thinking of a network with let's say 2 or 3 Win Clients and a dial-up connection, wouldn't it be oversized to run 2 servers or even 3 (DMZ) to provide basic SMTP, samba and masqueraded HTTP/FTP services for this network? Regards Ralf
On Tue, Apr 17, 2001 at 14:08 +0100, Ralf Koch wrote:
Correct me if I'm wrong, but don't you need the broadcast address 200.1.1.255 for the udp ports?
Only if you facilitate bcast announcements. You better use a WINS server (in any LAN).
And I'm not sure if there's any point in pushing broadcasts over routers (isn't it contrary to their design?). Proxy ARP might be an exception, but I consider it a hack. :)
Windows-Error: Mouse not found - A mouse driver hasn't been installed. Please click the left mouse button to continue.
OT: How is this a joke when BIOSes tell you to "press F1" when there's a keyboard error? :>
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- Hiroshima 45, Tchernobyl 86, Windows 2000
participants (3)
-
Gerhard Sittig -
office -
Ralf Koch