RE: Re: [suse-security] Re: Samba on firewall
I had the same problem and resolved it with this: Created a variable in firewall.rc.config: FW_SERVICE_SAMBA=no FW_SERVICE_INT_SAMBA=yes # Allow samba only in the internal interface And changed SuSEfirewall: ######################### # Special SAMBA support # ######################### test "$FW_SERVICE_SAMBA" = yes && { # baah, these samba rules looks evil! $IPCHAINS -A input -j "$ACCEPT" -p udp -d 0/0 137:138 $LAA } test "$FW_SERVICE_INT_SAMBA" = yes && { for j in $FW_DEV_INT; do $IPCHAINS -A input -j "$ACCEPT" -p udp -s $DEV_INT -d $DEV_INT_NET 138 -i $j $LAA $IPCHAINS -A input -j "$ACCEPT" -p udp -s $DEV_INT -d $DEV_INT_NET 137 -i $j $LAA done } What are the other ports (135,136,139) used for? In here I dont have any denied packets. Carlos Costa e Silva PS. I just rechecked (rediffed), and this are the only changes that I made to SuSEfirewall. I also have FW_PROTECT_FROM_INTERNAL="no" so maybe you should try if it works with this settings and then see what is not working.
-----Original Message----- From: info@formel4.de [mailto:info@formel4.de] Sent: terça-feira, 17 de Abril de 2001 13:21 To: suse-security@suse.com; info@formel4.de Subject: Re: [suse-security] Re: Samba on firewall
Can you give us a closer look to your rules concerning port 135:139 than your overview? Maybe something is missing there. Is logging enabled on your firewall? And if: Can you give us a look on the rejected packets when you're trying to connect with a samba client?
Regards
Ralf
When setting samba=yes in firewall.rc.config, udp-port 137:138 is open for the whole world. I want to close these ports. But when i set samba to "no" and opening the tcp and upd ports for samba only for my internal network, it doesn't work.
you can configure samba to listen only on the internal interface. Another thing is, that you need port 139 (tcp+udp ?), too.
My configuration is: UPD 135:139 and TCP 135:139 open for internal network and samba=no in firewall.rc.config... When setting samba=yes there will be ONLY an extra rule which looks like this: $IPCHAINS -A input -j "$ACCEPT" -p udp -d 0/0 137:138 $LAA
Why doesn't work samba without this rule????
* * Ralf Koch * mailto:info@formel4.de *
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
** Reply to message from Carlos Costa e Silva <carlos@keysoft.pt> on Tue, 17 Apr 2001 13:16:23 +0100 ***What are the other ports (135,136,139) used for? ***In here I dont have any denied packets port 135 is RPC (remote session services locater) port 136 = (profiling services ) port 139 is netbios -SSN ( a session manager for netbios) I just took that info off a w2k box , you MUST allow those ports open on your internal network , I can't think of any good reason for them to be open on a firewall , esp if you are using Masq functions or proxies .. I know the windows stuff wont work w/o them , and samba is looking to support windows boxen , no? j afterthought ... > ... FILE NOT FOUND. Should I FAKE it? (Y/N)
participants (2)
-
carlos@keysoft.pt -
jfweber@eternal.net