Togan Muftuoglu wrote:

* Torsten Schaefer; on 13 Nov, 2002 wrote:

...

Hi,

I have a problem to get samba running under susefirewall2 (SUSE8.0). The TCP port 139 is enabled in the FW rules, but if I'm running the FW in testmode I get the errormessage below. See also my firewallconfig below. Hopefully anyone is able to help - I wasted a lot of time without success.

It would have been easier if you trim your lines at say 75 characters

...

Nov 13 23:04:40 server kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=eth0 OUT= MAC=00:e0:7d:a2:68:29:00:10:5a:f1:4f:e1:08:00 SRC=192.168.0.22 DST=192.168.0.19 LEN=116 TOS=0x00 PREC=0x00 TTL=128 ID=37420 DF PROTO=TCP SPT=1254 DPT=139 WINDOW=32408 RES=0x00 ACK PSH URGP=0

...

FW_MASQ_NETS="0/0"

You do not want to have this like that use as 192.168.0.0/24 ( whatever your LAN topology is)

...

FW_PROTECT_FROM_INTERNAL="no"

ange to yes

...

FW_AUTOPROTECT_SERVICES="no"

change yes

...

FW_SERVICES_EXT_TCP=" http https imap imaps pop3 pop3s rsync smtp ssh telnet"

Are you realy proving all these services to the world (which are served on your Firewall machine) or are you trying to use them from your LAN. If the latter remove all of them

...

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

change to no

...

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

Change to DNS

...

FW_KERNEL_SECURITY="no"

change to yes once you get everything working

...

FW_ALLOW_FW_TRACEROUTE="yes"

If you want to have traceroutes coming to your firewall then ALLOW_HIGHCOMING_UDP else change here to no

I'd say that you need port 137 enabled as well if you want netbios name resolution to your win clients... Peace -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch "Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________

Torsten Schaefer wrote:

sorry Miguel,

this makes no difference - still not working

look at this line in your config file and add port numbers or the service names you want to enable from ext_tcp connections (one can not be samba server and client from the same box, or you don't need the FW at all...). I had the same prob this line worked out. (You can check my FW rules in a previous posting few minutes ago - DHCP Timeout) FW_SERVICES_EXT_TCP="137:139 http pop3 smtp ssh" Should work -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch "Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________

* Torsten Schaefer; on 14 Nov, 2002 wrote:

Miguel,

the samba should work to the internal network and not to the outside. The enable from int tcp 137:139 doesn,t work in this config. Maybe this is overuled by an other option or I have to switch on another things - but I could not found it.

Nov 13 23:04:40 server kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=eth0 OUT= MAC=00:e0:7d:a2:68:29:00:10:5a:f1:4f:e1:08:00 SRC=192.168.0.22 DST=192.168.0.19 LEN=116 TOS=0x00 PREC=0x00 TTL=128 ID=37420 DF PROTO=TCP SPT=1254 DPT=139 WINDOW=32408 RES=0x00 ACK PSH URGP=0 Now just to make sure that I do understand it This is the message you are getting when you want to reach your Windows' Shares Correct Now if this is the case SuSEirewall will make this type of Log if there is a problem with the Anti Spoofing/Cirumvention protection Meaning the traffic is involving a device/address which is not defined 1) Which SuSEfirewall2 version are you running grep -i ^ver /sbin/SuSEfirewall2 rpm -q SuSEfirewall2 ( If you have the rpm installed this is better as it would show the minor number as well) 2) What is your LAN setup 192.168.X.X/YY -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

* Torsten Schaefer; on 14 Nov, 2002 wrote:

Hi Togan,

thanks

...

Nov 13 23:04:40 server kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=eth0 OUT= MAC=00:e0:7d:a2:68:29:00:10:5a:f1:4f:e1:08:00 SRC=192.168.0.22 DST=192.168.0.19 LEN=116 TOS=0x00 PREC=0x00 TTL=128 ID=37420 DF PROTO=TCP SPT=1254 DPT=139 WINDOW=32408 RES=0x00 ACK PSH URGP=0

...

2) What is your LAN setup 192.168.X.X/YY 192.168.0.22 windows client

192.168.0.20 eth0 internal network card in router 192.168.0.19 eth1 = ppp0 to ADSL network card in router

Whay don't you place eth0 to a different subnet ie 192.168.1.0/24 As far as I see it this is a problematic NIC addressing unless you have them point to point -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

Hi, i think you should enable FW_ALLOW_FW_BROADCAST in your Firewallconfig and set FW_IGNORE_FW_BROADCAST to "no". In order you set ports 137:129 free this should work. Regards, Daniel Schulz -----Ursprüngliche Nachricht----- Von: Torsten Schaefer [mailto:operalight@t-online.de] Gesendet: Donnerstag, 14. November 2002 00:45 An: suse-security@suse.com Betreff: Re: [suse-security] Samba - Suse firewall Miguel, the samba should work to the internal network and not to the outside. The enable from int tcp 137:139 doesn,t work in this config. Maybe this is overuled by an other option or I have to switch on another things - but I could not found it. Torsten ----- Original Message ----- From: "Miguel Albuquerque" To: "Torsten Schaefer" Cc: <> Sent: Thursday, November 14, 2002 12:17 AM Subject: Re: [suse-security] Samba - Suse firewall

Torsten Schaefer wrote:

...

sorry Miguel,

this makes no difference - still not working

look at this line in your config file and add port numbers or the service names you want to enable from ext_tcp connections (one can not be samba server and client from the same box, or you don't need the FW at all...). I had the same prob this line worked out. (You can check

my

FW rules in a previous posting few minutes ago - DHCP Timeout)

FW_SERVICES_EXT_TCP="137:139 http pop3 smtp ssh"

Should work

-- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND

Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch

"Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Hi Kurt, i had the same problem as Thorsten, and in my case, the only thing I had to do, was to putt he Broadcast to yes. Every other option did not work for me, even if i typed in the correct smb name. As far as i know, the FW Broadcast is a Kernel 2.4 thing, and necessary for the correct work of samba. If i am wrong please correcgt me. Regards, Daniel Schulz -----Ursprüngliche Nachricht----- Von: Kurt Minder [mailto:kurtminder@bluewin.ch] Gesendet: Donnerstag, 14. November 2002 11:36 An: Suse-Security (E-Mail) Betreff: AW: [suse-security] Samba - Suse firewall

-----Ursprüngliche Nachricht----- Von: Daniel Schulz [mailto:bugtraq@i-smo.de] Gesendet: Donnerstag, 14. November 2002 08:26 An: 'Torsten Schaefer'; suse-security@suse.com Betreff: AW: [suse-security] Samba - Suse firewall

Hi,

i think you should enable FW_ALLOW_FW_BROADCAST in your Firewallconfig and set FW_IGNORE_FW_BROADCAST to "no". In order you set ports 137:129 free this should work.

Thats not nessecary when samba is running on the fw box. AFAIK this option is used when netbios should traverse sub-nets through the firewall. Maybe you can not browse the servers. But when you type in the a smb name of a server you can connect. I think Togan goes to the right direction. Why does the fw block a paket that is allowed in the roules? Cheers Kurt -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Sorry - further to my last mail I spotted a corruption of the page I linked to and have uploaded. Andy

...

...

...

...

...

>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 11/14/02, 10:59:14 AM, Andrew Bennett wrote regarding Re: [suse-security] Samba - Suse firewall:

Hi,

Sorry to but in guys bit I have a page which goes through the settings in SuSEfirewall V1 to send/receive mail, run DNS, etc, over the external port and offer services, including Samba, on the internal. I know V1 and V2 of SuSEfirewal are different but I think most of the settings you're talking about are the same. It's at http://www.itosn.com/security/server6.html

It may help.

Regards Andy

...

...

...

...

...

>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 11/13/02, 11:45:26 PM, operalight@t-online.de (Torsten Schaefer) wrote regarding Re: [suse-security] Samba - Suse firewall:

...

Miguel,

...

the samba should work to the internal network and not to the outside. The enable from int tcp 137:139 doesn,t work in this config. Maybe this is overuled by an other option or I have to switch on another things - but I could not found it.

...

Torsten ----- Original Message ----- From: "Miguel Albuquerque" To: "Torsten Schaefer" Cc: <> Sent: Thursday, November 14, 2002 12:17 AM Subject: Re: [suse-security] Samba - Suse firewall

...

...

Torsten Schaefer wrote:

...

sorry Miguel,

this makes no difference - still not working

look at this line in your config file and add port numbers or the service names you want to enable from ext_tcp connections (one can not be samba server and client from the same box, or you don't need the FW at all...). I had the same prob this line worked out. (You can check my FW rules in a previous posting few minutes ago - DHCP Timeout)

FW_SERVICES_EXT_TCP="137:139 http pop3 smtp ssh"

Should work

-- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND

Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch

"Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

...

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here