SuSEfirewall2 blocks SMB traffic
Hi! I do have some problems configuring SuSEfirewall2 for Samba client+server use. My machine is connected to a router and so is other machine. Does somebody see what I am doing wrong? FW_QUICKMODE="no" FW_DEV_EXT="eth-id-00:0d:87:39:28:9c" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="1214 4662 6882 microsoft-ds netbios-dgm netbios-ns netbios-ssn ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="139 445" FW_SERVICES_INT_UDP="137 138" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_RPC="" FW_ANTISPOOF="no" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" FW_LOG="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_LIMIT=""
Hey, If the packets are coming in on the external interface you must allow the ports with FW-SERVICES_EXT and not _INT best regards luk -----Ursprüngliche Nachricht----- Von: tmp@nitwit.de [mailto:tmp@nitwit.de] Gesendet: Samstag, 27. November 2004 17:51 An: suse-security@suse.com Betreff: [suse-security] SuSEfirewall2 blocks SMB traffic Hi! I do have some problems configuring SuSEfirewall2 for Samba client+server use. My machine is connected to a router and so is other machine. Does somebody see what I am doing wrong? FW_QUICKMODE="no" FW_DEV_EXT="eth-id-00:0d:87:39:28:9c" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="1214 4662 6882 microsoft-ds netbios-dgm netbios-ns netbios-ssn ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="139 445" FW_SERVICES_INT_UDP="137 138" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_RPC="" FW_ANTISPOOF="no" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" FW_LOG="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_LIMIT=""
On Saturday 27 November 2004 18:38, dadirtyluk wrote:
Hey,
If the packets are coming in on the external interface you must allow the ports with
FW-SERVICES_EXT and not _INT
YaST does set it on the internal interface. But I already tried to open the TCP and UDP ports on the external interface. No luck...
hey, did you set fw_services_ext in /etc/sysconfig/SuSEfirewall2? or have you just 'tried' to set it somehow with yast and it didn't work out? you need to give some more information about your setup...many things can be going wrong... ipaddresses hardware setup (routers, hubs/switches, etc) what is working and what is not best regards luk
YaST does set it on the internal interface. But I already tried to open the TCP and UDP ports on the external interface. No luck...
On Saturday 27 November 2004 19:36, dadirtyluk wrote:
did you set fw_services_ext in /etc/sysconfig/SuSEfirewall2? or have you just 'tried' to set it somehow with yast and it didn't work out?
YaST (9.2). I didn't "try" it "somehow" but I entered 137 and 138 for external UDP ports and 139 and 445 for external TCP ports... :-)
you need to give some more information about your setup...many things can be going wrong...
ipaddresses
Well, ok: 192.168.0.255 router 192.168.0.2 my machine 192.168.0.DHCP windows machine
hardware setup (routers, hubs/switches, etc)
Netgear wireless router to which both PCs are connected.
what is working and what is not
Everything's working find except SMB. SMB isn't working at all if the FW is enabled. AFAIK one port (139?) is only for directory listings or similar but I think the problem is something else but an closed port...
hey, i'm having problems to discover a deepers sense in this setup... why do you set up a firewall that is not between the inet and your only internal computer? i would consider putting 2 nic's in the firewall machine and make it the only computer connected to your router if both computers are connected to the router only the machin where the firewall is running is protected from the internet. the other one has an connection to the router and the inet without a firewall. or am i completly misunderstanding your setup?
Everything's working find except SMB. SMB isn't working at all if the FW is enabled. AFAIK one port (139?) is only for directory listings or similar but I think the problem is something else but an closed port...
you have services on your firewall machine that you access from the other machine or what? you can ping the firewall computer from the other one? best regards luk
On Saturday 27 November 2004 20:20, dadirtyluk wrote:
i would consider putting 2 nic's in the firewall machine and make it the only computer connected to your router
Because I do share the net with a Windows machine :-) Yes, it doesn't really make sense. But this is not about sense but why it doesn't work.
if both computers are connected to the router only the machin where the firewall is running is protected from the internet. the other one has an connection to the router and the inet without a firewall.
or am i completly misunderstanding your setup?
Nope. Absolutely correct. Well, the Windows machine does have the Windows SP2 Firewall installed anyway.
Everything's working find except SMB. SMB isn't working at all if the FW is enabled. AFAIK one port (139?) is only for directory listings or similar but I think the problem is something else but an closed port...
you have services on your firewall machine that you access from the other machine or what?
No. I do have services that I access from the internet. For the LAN SMB is sufficient.
you can ping the firewall computer from the other one?
Sure. And if I shut down SuSEfirewall2 everything works. It must be some stupid FW config mistake I made...
does the firewall logs droped packets? hint: tail -f /var/log/messages yast can displays this too. i dont know how to solve with yast but ethereal, nmap nmblookup, smbclient and iptables -nvL can be helpful tools for you. ethereal shows you everthing passing the network. With nmap -p 139,145 <ip> and nmap -sU -p 137,138 <ip> you can determine which port is probably blocked. smbclient -L <ip> shows shares nmbclient -A <ip> shows netbiosnames but 192.168.0.255 is a strange IP for a router. what's your netmask at linux, windows, router? Type ipconfig in windows commandprompt to see what settings the windowsbox got from dhcp.
On Sunday 28 November 2004 01:04, Kai Hauser wrote:
does the firewall logs droped packets? hint: tail -f /var/log/messages
Not really, I found: Nov 28 13:22:35 tcn nmbd[4389]: [2004/11/28 13:22:35, 0] nmbd/nmbd_namequery.c:query_name_response(101) Nov 28 13:22:35 tcn nmbd[4389]: query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.2 for name HOME<1d>. Nov 28 13:22:35 tcn nmbd[4389]: This response was from IP 192.168.0.3, reporting an IP address of 192.168.0.3. Nov 28 13:22:42 tcn SuSEfirewall2: Warning: FW_ALLOW_INCOMING_HIGHPORTS_UDP=DNS no longer supported Nov 28 13:22:42 tcn SuSEfirewall2: Firewall rules successfully set from /etc/sysconfig/SuSEfirewall2 but could not reproduce it. 192.168.0.3 is the Windows machine.
nmap -p 139,145 <ip> and
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-11-28 13:32 CET Interesting ports on tcn.local (192.168.0.2): PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds
nmap -sU -p 137,138 <ip>
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-11-28 13:33 CET Interesting ports on 192.168.0.3: PORT STATE SERVICE 137/udp open netbios-ns 138/udp open netbios-dgm
smbclient -L <ip> shows shares
Password: Domain=[HOME] OS=[Unix] Server=[Samba 3.0.7-5.2-SUSE] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (tcn) ADMIN$ IPC IPC Service (tcn) Domain=[HOME] OS=[Unix] Server=[Samba 3.0.7-5.2-SUSE] Server Comment --------- ------- TCN tcn Workgroup Master --------- ------- HOME For the Windows machine I get: session request to 192.168.0.3 failed (Called name not present) session request to 192 failed (Called name not present) ?
nmbclient -A <ip> shows netbiosnames
Hmm, seems I don't have nmbclient...
but 192.168.0.255 is a strange IP for a router.
You are right, it's 192.168.0.1 :-)
Type ipconfig in windows commandprompt to see what settings the windowsbox got from dhcp.
192.168.0.3
tmp@nitwit.de wrote:
|...|
|smbclient -L 192.168.0.3|
For the Windows machine I get:
session request to 192.168.0.3 failed (Called name not present) session request to 192 failed (Called name not present)
nothing else? there should be your windowsshares although. the both lines are because there is no netbiosname (192....) thats normal, smbclient tries
nmbclient -A <ip> shows netbiosnames
Hmm, seems I don't have nmbclient...
sure you dont, its called nmblookup :-) my fault so try nmblookup -A -<ip> and nmblookup <nbname> so the ports are reachable with running firewall but you only reach the windowsshares without firewall on linux but windows can connetct to sambashares anyhow?
On Sunday 28 November 2004 18:52, you wrote:
sure you dont, its called nmblookup :-) my fault so try nmblookup -A -<ip> and nmblookup <nbname>
-A works fine, nbname works only for the linux box, not for the Windows machine: # nmblookup -A 192.168.0.2 Looking up status of 192.168.0.2 TCN <00> - B <ACTIVE> TCN <03> - B <ACTIVE> TCN <20> - B <ACTIVE> HOME <00> - <GROUP> B <ACTIVE> HOME <1e> - <GROUP> B <ACTIVE> MAC Address = 00-00-00-00-00-00 # nmblookup -A 192.168.0.3 Looking up status of 192.168.0.3 AUDIOWERK <00> - M <ACTIVE> AUDIOWERK <20> - M <ACTIVE> HOME <00> - <GROUP> M <ACTIVE> HOME <1e> - <GROUP> M <ACTIVE> HOME <1d> - M <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> MAC Address = 00-0E-35-11-C0-B0 # nmblookup tcn querying tcn on 192.168.0.255 192.168.0.2 tcn<00> # nmblookup audiowerk querying audiowerk on 192.168.0.255 name_query failed to find name audiowerk
so the ports are reachable with running firewall but you only reach the windowsshares without firewall on linux but windows can connetct to sambashares anyhow?
No I cannot access my linux shares from the Windows machine either...
participants (3)
-
dadirtyluk -
Kai Hauser -
tmp@nitwit.de